CTFtime.org

Transfer

by Hypnosec

Rating:

## Transfer
Writeup by @auscompgeek.

> I was sniffing some web traffic for a while, I think i finally got something interesting. Help me find flag through all these packets.
>
> net_756d631588cb0a400cc16d1848a5f0fb.pcap

Let's cut to the chase.

The provided pcap contains a TCP connection from 192.168.15.133 to 192.168.15.135:80.
There are no packets from 192.168.15.135, besides ACKs, in this connection.

The first PSH packet in the connection contains some Python:
```python
import string
import random
from base64 import b64encode, b64decode

FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'

enc_ciphers = ['rot13', 'b64e', 'caesar']
# dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
_rot13 = string.maketrans(
"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz",
"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
return string.translate(s, _rot13)

def b64e(s):
return b64encode(s)

def caesar(plaintext, shift=3):
alphabet = string.ascii_lowercase
shifted_alphabet = alphabet[shift:] + alphabet[:shift]
table = string.maketrans(alphabet, shifted_alphabet)
return plaintext.translate(table)

def encode(pt, cnt=50):
tmp = '2{}'.format(b64encode(pt))
for cnt in xrange(cnt):
c = random.choice(enc_ciphers)
i = enc_ciphers.index(c) + 1
_tmp = globals()[c](tmp)
tmp = '{}{}'.format(i, _tmp)

return tmp

if __name__ == '__main__':
print encode(FLAG, cnt=?)
```

The rest of the TCP stream contains the ciphertext, which begins with
`2Mk16Sk5iakYxVFZoS1RsWnZXbFZaYjFaa1prWmFkMDVWVGs1U2IyODFXa1ZuTUZadU1Y`.

The provided Python code first prepends '2' to the plaintext, base64 encodes it,
then goes into a loop. For each iteration of the loop:

1. pick a random cipher from rot13, base64, and a Caesar shift of 3;
2. perform the cipher on the current `pt`; then
3. prepend the cipher index (1 for rot13, 2 for base64, 3 for Caesar) to `pt`.

All three ciphers are trivially reversible, and which cipher is used for each
iteration is given by the index, so reversing the algorithm is fairly trivial.

### Solution
```python
#!/usr/bin/env python2

import string
import random
from base64 import b64encode, b64decode

FLAG = open('net-encoded.txt').read()

enc_ciphers = ['rot13', 'b64e', 'caesar']
dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
_rot13 = string.maketrans(
"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz",
"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
return string.translate(s, _rot13)

def b64e(s):
return b64encode(s)

def b64d(s):
return b64decode(s)

def caesar(plaintext, shift=3):
alphabet = string.ascii_lowercase
shifted_alphabet = alphabet[shift:] + alphabet[:shift]
table = string.maketrans(alphabet, shifted_alphabet)
return plaintext.translate(table)

def caesard(ciphertext, shift=3):
return caesar(ciphertext, shift=-shift)

def encode(pt, cnt=50):
tmp = '2{}'.format(b64encode(pt))
for cnt in xrange(cnt):
c = random.choice(enc_ciphers)
i = enc_ciphers.index(c) + 1
_tmp = globals()[c](tmp)
tmp = '{}{}'.format(i, _tmp)

return tmp

def decode(ct):
while ct[0].isdigit():
i = int(ct[0]) - 1
c = dec_ciphers[i]
ct = globals()[c](ct[1:])
return ct

if __name__ == '__main__':
print decode(FLAG)
```

Our final flag is `flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi}`.

Original writeup (https://github.com/hypnosec/writeups/blob/master/2015/csaw-ctf/forensics/transfer.md).

Comments