In this blog series, we attempt to complete a Capture The Flag (CTF) challenge posted by The Honeynet Project using Gigasheet. While the challenge is quite dated (2015), the analysis techniques we showcase in this blog are still relevant today.
The challenge is called "Weird Python" and is available for public download through The Honeynet Project's website. It presents a series of twelve questions that one must answer by analyzing a packet capture file. Part 1 of this blog provides the analysis methodology to find the answers to questions 1 and 2. Check back for Part 2, where we continue to solve the challenge questions.
Follow along with our public sheet located here!
Below is the challenge excerpt, copied from honeynet.org.
"Your boss John went to a BYOD conference lately. Yeah, he's that kind of security guy… After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn't make much sense out of "random" payloads yet. Today, Pete didn't come to work. Five minutes ago, he sent a company-wide mail with a total of four words: "F*** you, I quit. ". What has happened!?"
The questions we answer in this blog are:
Question 1: BYOD seems to be a very interesting topic. What did your boss do during the conference?
We begin the analysis by uploading the PCAP file to Gigasheet and scanning through its contents.
We can see the timestamp in the FRAME.TIME_EPOCH column is in Unix time format, which we can translate to CDT (or other time zones) using the Convert Unix time function. Gigasheet then adds a new column labeled FRAME.TIME_EPOCH-UTC, which includes the translated time.
We can see at first glance that most of the traffic is HTTPS over 443, which may not be very useful due to being encrypted. We can add a filter to the INFO column to exclude "443 →" and "→ 443", which hides sent and received traffic over port 443. We also want to exclude any rows displaying "Application Data," in the INFO column, which provides little value for now.
We can continue filtering out data that may not be useful by right-clicking the data object and selecting "Filter to exclude this".
After several rounds of filtering, we start seeing some interesting traffic, including DNS queries and HTTP requests/responses.
On rows 204-205, we can see a DNS query and response for www.reddit.com, which may help answer the first challenge question. We can flag these rows as "Suspicious" to make them easier to find in future analyses. The DNS request comes from 172.16.254.128, which is an Internet gateway.
Scrolling down to row 619, we can see that the boss accessed a webpage, and closer inspection of the HTML close reveals that website's title: "reddit: the front page of the internet"
On rows 5028-5029, we see a DNS query and response for www.thewayoftheninja.org, returning IP address 184.108.40.206.
In rows 5033-5041, we see an HTTP GET request to the IP address of www.thewayoftheninja.org (220.127.116.11), followed by an HTTP 200 OK response from the server in row 5041. The response includes a webpage titled: "The Way of the Ninja: the Official Site of N and N+".
We now have enough information to answer the first question:
What did the boss do during the conference? Among other things, the boss was browsing Reddit and online game sites.
Question 2: What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?
A deeper analysis of the HTML code returned by 18.104.22.168 in row 5041 reveals that www.thewayoftheninja.org hosts several games for download, as indicated by the HTML code below:
<...alt="N, the free flash game that started it all. Download it here!">
<...alt="N+XBLA released February 20th 2008. Download it now!">
To determine whether the boss downloaded anything from this website, we filter the INFO column for HTTP GET requests, which leads us to row 5675, where the boss downloads Nv2-PC.zip from 22.214.171.124.
Since the user initially communicated with IP address 126.96.36.199, we need to ensure that the two IP addresses, 188.8.131.52 and 184.108.40.206, relate to the same user action. We undo the filters and search Nv2-PC.zip using the search function to find the beginning of the session.
In rows 5668-5669 and 5671-5672, we see a series of DNS queries and responses for www.harveycartel.org, returning IP addresses 220.127.116.11 and 18.104.22.168, followed by the Nv2-PC.zip file download.
Searching www.harveycartel.org using the search function leads to row 5424, where we see a link to hxxp://www.harveycartel.org/nv2/Nv2-PC.zip in the initial website visited by the user.
We can now answer the second question:
Question 2: What method did the attacker use to infect the boss' computer? List the IP addresses.
The method appears to be a malicious program, likely a trojan. The IP addresses involved in this activity are 22.214.171.124, 126.96.36.199, and 188.8.131.52.
Continue the hunt with for Part 2 of our three blog series.