This post spoils a CTF challenge … Don’t read if you want to try it !

Sogeti CTF was a qualifier for the Sogeti Cyber E-Scape. I could not find a team to participate in this event, so I played alone and finally managed to find a team for the final :)

[+] Presentation

We are given an .iso file (USB.iso), which is the USB stick dump in which the flag is hidden.

presentation

Let’s mount and explore it.

presentation2

.PNG and notes.txt files are not important here, but let’s dig into backup.zip.

backup presentation

challenge_network.pcapng is a network capture, and challenge_network.keys contains keys usually used to decrypt HTTPS traffic.
Let’s analyse this network capture with Wireshark.

[+] Network analysis

After filtering ARP pollution, we can see that this capture is mainly with TLS (probably HTTPS) and IRC (a chat protocol) traffic.

network

As the IRC traffic is not encrypted, let’s analyse it first.

network2

Right click > Follow TCP stream

By reading the chat (french baguette only), we can understand that the https://192.168.56.1/secret.zip contains the flag. This archive is not available on the Internet and is password protected, but one of the IRC users downloaded it, and said that the archive password is ‘easy to guess’.
With the help of the previously discovered keys, we can decrypt the TLS traffic and find the secret.zip archive.

network3

Edit > Preferences > Protocols > SSL > Pre-Master-Secret secret log filename

This secret.zip archive is protected by a simple password, so let’s try to bruteforce it with the rockyou.txt wordlist.

zip

We have the password, so let’s flag now.

zip

Flag : SCE{Th1s_1s_our_n3w_k3y-w0rd}

[+] Bye

Feel free to tell me what you think about this post :)