Tags: exfiltration icmp wireshark 

Rating: 5.0

The data was exfil'd in the data section of ICMP packets. If you open the pcap in wireshark and filter by `data`, you'll se this:

The `no response found` packets are not normal and are a bit sus. Click on one and you'll see data that looks like this:

We see data in the form `data:1:39:some-hex`. If you click through them, you'll notice that the first section is either `data` or `checksum`. `data` means data is being sent and `checksum` means it's the last exfil packet with the checksum of the entire data. The 2nd section is just the sequence number of the exfil packet and the 3rd section is the total number of data packets.

Here's a quick script to scrape out the data:
from scapy.all import *
import binascii

last_seqn = 0
result = ""

def get_payload(x):
global last_seqn
global result

load = x.load.decode()

split = load.split(":")
exfil = split[0]
if (exfil == 'data' or exfil == 'checksum'):
seqn = int(split[1])
total = int(split[2])
data = split[3]

if(exfil == "checksum"):
outf = open('out',"wb")
for i in range(0, len(result), 2):
result += data

sniff(offline='exfil.pcapng', filter="icmp", prn=get_payload)

Contents of the `out` file:
$ cat out
password = PCTF{n0t_4_v3ry_sn34ky_3xf1l}
port = 3306
socket = /run/mysqld/mysqld.sock

port = 3306

Looks like a sql db conf file with the flag as the password.

Original writeup (https://github.com/NihilistPenguin/PatriotCTF2022-Writeups/blob/main/Forensics/Exfil.md).