Tag List
Sign In

Exfil

By: henry5534

28/11/2020

htbctf forensics steganography

Exfil

We are given a PCAP file that we can view in Wireshark, this contains a lot of packets, but none of these seem to contain much actual information. Giving it a closer look, it appears to be exfiltrating each bit of a character of various fields at a time.

It will sleep for three seconds if the bit is a 1, or return immediately if it is a 0. After some trial and error, we can select only the relevent packets by using the packet filter mysql.packet_length == 1, we can then save these and export these into a PCAP of their own.

We can then use a script to determine if the time between each request and response pair is either immediate or not. Python time!

from scapy.all import *

pcap = rdpcap(<file>)
m = ""

for i in range(0, len(p), 2):
    if p[i+1].time - p[i].time < 1:
        m += "0"
    else:
            m  += "1"

We can then print m, which is the series of bits making up the exfiltrated information

>>> m
'0110010001100010010111110110110100110011001100010011010000111001011100110110001101110010011001010110010101101110011100110110100001101111011101000111001100101100011101010111001101100101011100100111001101101001011001000010110001110101011100110110010101110010001011000111000001100001011100110111001101110111011011110111001001100100011000010110010001101101011010010110111001001000010101000100001001111011011000100011000101110100010111110111001101101000001100010110011001110100001100010110111001100111010111110011001101111000011001100011000101101100010111110011000101110011010111110110001100110000001100000110110001111101'

We can then convert this to ASCII using CyberChef with this recipe&input=MDExMDAxMDAwMTEwMDAxMDAxMDExMTExMDExMDExMDEwMDExMDAxMTAwMTEwMDAxMDAxMTAxMDAwMDExMTAwMTAxMTEwMDExMDExMDAwMTEwMTExMDAxMDAxMTAwMTAxMDExMDAxMDEwMTEwMTExMDAxMTEwMDExMDExMDEwMDAwMTEwMTExMTAxMTEwMTAwMDExMTAwMTEwMDEwMTEwMDAxMTEwMTAxMDExMTAwMTEwMTEwMDEwMTAxMTEwMDEwMDExMTAwMTEwMTEwMTAwMTAxMTAwMTAwMDAxMDExMDAwMTExMDEwMTAxMTEwMDExMDExMDAxMDEwMTExMDAxMDAwMTAxMTAwMDExMTAwMDAwMTEwMDAwMTAxMTEwMDExMDExMTAwMTEwMTExMDExMTAxMTAxMTExMDExMTAwMTAwMTEwMDEwMDAxMTAwMDAxMDExMDAxMDAwMTEwMTEwMTAxMTAxMDAxMDExMDExMTAwMTAwMTAwMDAxMDEwMTAwMDEwMDAwMTAwMTExMTAxMTAxMTAwMDEwMDAxMTAwMDEwMTExMDEwMDAxMDExMTExMDExMTAwMTEwMTEwMTAwMDAwMTEwMDAxMDExMDAxMTAwMTExMDEwMDAwMTEwMDAxMDExMDExMTAwMTEwMDExMTAxMDExMTExMDAxMTAwMTEwMTExMTAwMDAxMTAwMTEwMDAxMTAwMDEwMTEwMTEwMDAxMDExMTExMDAxMTAwMDEwMTExMDAxMTAxMDExMTExMDExMDAwMTEwMDExMDAwMDAwMTEwMDAwMDExMDExMDAwMTExMTEwMQ), which gives us the flag: HTB{b1t_sh1ft1ng_3xf1l_1s_c00l}