root-me.org
Network Ch1 FTP - Authentication
Original challenge can be found at: https://www.root-me.org/en/Challenges/Network/FTP-authentication
This is an easy one: We get a pcap file, which can open in Wireshark.
First thing filter for FTP protocol to lessen the seen output. Second watch out for requests and responses that do so say something about login and password stuff. And there you go, boom! Just right there is the password. Piece of cake!
Network Ch2 - TELNET - Authentication
Original challenge can be found at: https://www.root-me.org/en/Challenges/Network/TELNET-authentication
This challenge is about telnet a veteran under the network protocols. So its security :=) even though you can often upgrade crypto via startTLS, if supported.
However: We supposed to uncover a username and password. So just filter for telnet and it has to contain password:
telnet contains Password
Ah, packet 59 there it is and the following packets are the password in clear text. Each packet has just a single character. But no worries it is a pretty short password. After that telnet contains just some Shell commands and can be ignored.
Network Ch3 - Raw Ethernet Frame
Original challenge can be found at: https://www.root-me.org/en/Challenges/Network/ETHERNET-frame
This challenge just gives you a raw hex dump of an Ethernet frame. Inside the frame the flag has to be found. The following represents the hex dump as supplied by the challenge.
00 05 73 a0 00 00 e0 69 95 d8 5a 13 86 dd 60 00
00 00 00 9b 06 40 26 07 53 00 00 60 2a bc 00 00
00 00 ba de c0 de 20 01 41 d0 00 02 42 33 00 00
00 00 00 00 00 04 96 74 00 50 bc ea 7d b8 00 c1
d7 03 80 18 00 e1 cf a0 00 00 01 01 08 0a 09 3e
69 b9 17 a1 7e d3 47 45 54 20 2f 20 48 54 54 50
2f 31 2e 31 0d 0a 41 75 74 68 6f 72 69 7a 61 74
69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 75 5a
6d 6b 36 5a 47 56 75 64 47 6c 68 62 41 3d 3d 0d
0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 73
61 6e 65 42 72 6f 77 73 65 72 0d 0a 48 6f 73 74
3a 20 77 77 77 2e 6d 79 69 70 76 36 2e 6f 72 67
0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d
0a
There are several options: The fastest: Just decode the whole hex dump to a string. The last few bytes will get you nearly to the answer. But I suggest a deeper dive. Therefore lets dissect the dump.
Hint: I know Ethernet has an preamble field, but this is not part of the packet. It starts right with the destination and source address.
We have 14 lines, the first 13 each 16 Bytes the last lines contains only one entry. We can transfer them to a .pcap file or work just on raw information from the dump. If we analyse the frame we see that the fist 14 Bytes are the exactly the size of an Ethernet frame, therefore it should be the Ethernet frame header. Taking a deeper look at:
00 05 73 A0 00 00
These are the destination address and as this is on link layer we are talking about MAC addresses. Thus the MAC address is 00:05:73:a0:00:00 first three hex values are the vendor specific part: 00 05 73 that tells us it is a CISCO device.
E0 69 95 D8 5A 13 86 DD
The above encodes the source address, likewise the destination address is a MAC address, that tells it is from PEGATRON CORPORATION (vendor part E06995).
The next two bytes declares the type field that will declare which protocol is run on the network layer. Thus 86 DD tells us it is an IPv6 packet! (Well they are really modernest guys at root-me ^^)
So as the IPv6 header is 40 Bytes long it starts from Bytes 12 onwards. The payload is 155 Bytes containing a TCP packet on the transport layer. Some features that can be extracted are the hops (TTL in IPv4, length of 8 Bit = 0-255) which is set to \(64 = 2^6\) They encoded a nice source address: 2607:5300:60:2abc::bade:c0de.
Next on is the transport layer with the TCP packet. The header tells us the source port is hex 96 74 or 38516 (as outgoing ports are random above ephemeral ports) and as the number is below IANA suggestions ranging from 49152 to 65535 it can be assumed that this is Linux (32768 to 60999) or FreeBSD (1024 to 5000 as ephemeral ports) system.
The destination port is 80 (hex 00 50) so the standard web port. Which makes sense, otherwise we have to handle TLS crypto stuff for HTTPs. But we also know what is waiting on the application layer: HTTP. All other field flags for TCP are 0 (hex 80 18). We skip the rest of TCP stuff - if you are interested go ahead and analyse it.
Okay: This is the final part you have waited for -- HTTP
47 45 54 20 2F 20 48 54 54 50
2F 31 2E 31 0D 0A 41 75 74 68 6F 72 69 7A 61 74
69 6F 6E 3A 20 42 61 73 69 63 20 59 32 39 75 5A
6D 6B 36 5A 47 56 75 64 47 6C 68 62 41 3D 3D 0D
0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 49 6E 73
61 6E 65 42 72 6F 77 73 65 72 0D 0A 48 6F 73 74
3A 20 77 77 77 2E 6D 79 69 70 76 36 2E 6F 72 67
0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D
0A
This is the HTTP part of the message. A http get invocation. First 3 Bytes for the request get method, followed one Byte for the URI (2f), then the request version HTTP/1.1.
Finally we have HTTP basic authorization:
41 75 74 68 6F 72 69 7A 61 74
69 6F 6E 3A 20 42 61 73 69 63 20 59 32 39 75 5A
6D 6B 36 5A 47 56 75 64 47 6C 68 62 41 3D 3D 0D
0A
Which we can decode to ASCII string Authorization: Basic HEREISSOMETHNG==\r\n The two equal signs tells us that this is base64 decoded. Via shell you can decode this:
base64 -d FILENAME
#or
echo "BASECODE==" | base64 -d
So now we have our flag and can get the points. Really nice challenge for beginners interested in networking. As you do analyse through the OSI model. It was fun to dig through this.
Network Ch4 Twitter Authentication
Original challenge can be found at: https://www.root-me.org/en/Challenges/Network/Twitter-authentication-101
We have to retrieve the password for a twitter session. As twitter sits on the application level and we got a pcap file, this should be pertty easy.
After opening the pcap file, we see its HTTP in the application layer. Thus if we further investigate we found the http.authorization section, with a basic authentication mechanism. And this means no real security the password is encoded via Base64. But also in clear text in the authorization section were it states the credentials.
Network Ch5 Bluetooth - Unknown file
Original challenge can be found at: https://www.root-me.org/en/Challenges/Network/Bluetooth-Unknown-file
This challenge goal is to find out MAC address and device name and calculate tha SHA1 value of the concatanation.
We get a binary file that is actually a BTSnoop file, if we run the file command we get:
file ch18.bin
ch18.bin: BTSnoop version 1, HCI UART (H4)
This file can be analyzed via Wireshark. Here comes the big advantag of Wireshark, after opening we can simply display the Bluetooth device.
This will get us the device name and the MAC address, which we simply have to concat and let SHA1 run over this string.
The MAC address is
0c:b3:19:b9:4f:c6
Device Name:
C6GT-S7390G
And now just put it into the termial like this:
echo "XXXXXXXXXXXXXXXXXXX" | sha1sum