Prompt
The hackers have created their own custom protocol for private communication. Luckily, our analysts have managed to obtain the documentation describing the protocol. Use the provided capture to answer the following questions about a custom protocol hackers have created.
You can read this guide to learn more about computer networking.
Tutorial Video
Walk-Through
The communication between the client and server will contain three types of messages: Initialization, Hash Request, and Hash Response. A connection is started with the client sending an Initialization message, which contains the number of Hash Requests that the client wishes to make. Then, the server will send the length of its response. Then, the client sends their Hash Requests to the server. After all of the Hash Requests have been received, the server will finish sending a single Hash Response which contains hashes of all of the data that was sent by the client.
Initialization (Client -> Server)
- N - A 4-byte integer in network byte order that represents the number of Hash Requests that will be sent.
Hash Request (Client -> Server)
- Check - A fixed 2-byte integer in network byte order that verifies the integrity of the message.
- Len - A 4-byte integer in network byte order that represents the length of the data in bytes.
- Data - The data that will be hashed.
Hash Response (Server -> Client)
- Count - The length of the data, in bytes, that follows.
- Hashes - The hashes requested by the client. Each hash is in the form of a fixed-length chunk. These hashes are in the same order that the requests were made.
Questions 1 – 3 can be solved by filtering down the packet capture to just the custom protocol. The packet capture contains both SSH and HTTP traffic. The tcp && !(tcp.port == 22) && !(tcp.port == 80) filter will help remove noise. From there, the first packet will show the client establishing a connection with the server.
Questions 4 – 11 can be solved by following the TCP stream for the first filtered packet and viewing the data as a hex dump. As per the protocol specification, the first 4 bytes represent the number of requests (5) and the next two bytes are the 2-byte magic number check. Once the 2-byte check has been sent, the length of the request follows. For the first request, this length is 0x58 or 88 in decimal. For the second request, which you can identify by the second instance of 0x0417, the length is 0x48 or 72 in decimal. The hash-length can be determined by taking the total number of requests (5) and dividing it by the length of the response as advertised by the server 0xa0 or 160 decimal, yielding a result of 32 bytes. After determining that each hash is 32 bytes, the first hash is then known to be the first 32 bytes with the second hash being the next 32 bytes. In this packet capture, the hidden flag is sent over by the client. Any of the hash requests can be base64 decoded to reveal the hidden flag.
Questions
What is the IP address of the server?
What is the IP address of the client?
What port is the server listening on?
What is the magic 2-byte ID in decimal representation?
How many encrypt requests were made by the client?
What is the length of the first encrypt request?
What is the length of the second encrypt request?
How large is an individual encrypt hash in bytes?
What was the encrypt response in hexadecimal form (e.g. FFFF) for the first request?
What was the encrypt response in hexadecimal form (e.g. FFFF) for the second request?
What is the hidden flag being sent over the protocol?
©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.