Rating:
Given a network capture packet named udopee.pcap, we can use tshark to observe the packet’s hierarchy.
```
» tshark -r udopee.pcap -qz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter:
frame frames:16 bytes:1691
eth frames:16 bytes:1691
ip frames:16 bytes:1691
udp frames:16 bytes:1691
data frames:16 bytes:1691
===================================================================
» tshark -r udopee.pcap
1 0.000000 37.47.130.101 → 192.168.2.211 UDP 60 28849 → 10000 Len=10
2 0.000267 192.168.2.211 → 37.47.130.101 UDP 44 10000 → 28849 Len=2
3 0.076809 37.47.130.101 → 192.168.2.211 UDP 92 28849 → 10000 Len=50
4 3.556865 37.47.130.101 → 192.168.2.211 UDP 104 28849 → 10000 Len=62
5 3.557187 192.168.2.211 → 37.47.130.101 UDP 104 10000 → 28849 Len=62
6 3.620418 37.47.130.101 → 192.168.2.211 UDP 96 28849 → 10000 Len=54
7 3.620422 37.47.130.101 → 192.168.2.211 UDP 181 28849 → 10000 Len=139
8 3.620672 192.168.2.211 → 37.47.130.101 UDP 96 10000 → 28849 Len=54
9 3.622263 37.47.130.101 → 192.168.2.211 UDP 181 28849 → 10000 Len=139
10 3.622450 192.168.2.211 → 37.47.130.101 UDP 96 10000 → 28849 Len=54
11 3.632204 37.47.130.101 → 192.168.2.211 UDP 169 28849 → 10000 Len=127
12 3.632420 192.168.2.211 → 37.47.130.101 UDP 96 10000 → 28849 Len=54
13 15.957341 37.47.130.101 → 192.168.2.211 UDP 96 28849 → 10000 Len=54
14 15.957695 192.168.2.211 → 37.47.130.101 UDP 96 10000 → 28849 Len=54
15 15.970786 37.47.130.101 → 192.168.2.211 UDP 96 28849 → 10000 Len=54
16 16.012801 37.47.130.101 → 192.168.2.211 UDP 84 28849 → 10000 Len=42
» tshark -r udopee.pcap -x | tail -8
0000 52 54 00 78 6c 48 00 13 3b 5a 02 a5 08 00 45 00 RT.xlH..;Z....E.
0010 00 46 73 c3 40 00 32 11 69 d4 25 2f 82 65 c0 a8 [email protected].%/.e..
0020 02 d3 70 b1 27 10 00 32 0f d6 01 00 45 00 00 28 ..p.'..2....E..(
0030 00 00 40 00 40 06 26 ce 0a 00 00 02 0a 00 00 01 ..@.@.&.........
0040 e3 0e 05 39 12 53 52 f9 00 00 00 00 50 04 00 00 ...9.SR.....P...
0050 4e 4a 00 00 NJ..
```
Here, we have found that the majority of packets are UDP, and all of them have a data field. Furthermore, the data itself contains a byte-pattern similar to the IPv4 packet header (\x45\x00), which led us to believe that it is indeed tunneled traffic.
Returning to the description, it was stated that the traffic is tunneled using the udptunnel tool. Normally, the original IPv4 bytes would be inserted inside udp.data. However, in this case, there are 2 reserved bytes preceding the actual IPv4 bytes
There are several ways to exfiltrate the original traffic, including using tools like editcap or scapy. The editcap approach can be accomplished by removing unnecessary bytes, starting from the IPv4 + UDP header up to the 2 reserved data bytes.
```
» editcap -C 14:30 udopee.pcap orig.pcap
» tshark -r orig.pcap | head -5
1 0.000000 SpeedDra_5a:02:a5 → RealtekU_78:6c:48 IPv4 60 Bogus IPv4 version (7, must be 4)
2 0.000267 RealtekU_78:6c:48 → SpeedDra_5a:02:a5 IPv4 44 [Packet size limited during capture]
3 0.076809 fe80::57a1:a0e:ae18:7b31 → ff02::2 ICMPv6 92 Router Solicitation
4 3.556865 10.0.0.2 → 10.0.0.1 TCP 104 58126 → 1337 [SYN] Seq=0 Win=65535 Len=0 MSS=256 SACK_PERM TSval=1038421218 TSecr=0 WS=128
5 3.557187 10.0.0.1 → 10.0.0.2 TCP 104 1337 → 58126 [SYN, ACK] Seq=0 Ack=1 Win=65392 Len=0 MSS=256 SACK_PERM TSval=4207905439 TSecr=1038421218 WS=128
» tshark -r orig.pcap -qz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter:
frame frames:16 bytes:1691
eth frames:16 bytes:1691
ip frames:15 bytes:1647
ipv6 frames:1 bytes:92
icmpv6 frames:1 bytes:92
tcp frames:13 bytes:1495
data frames:3 bytes:531
_ws.short frames:1 bytes:44
===================================================================
```
Here, we can observe that the original traffic, sourced from 10.0.0.2 to 10.0.0.1, most likely carried a certain TCP data. By employing tshark once again, we can extract the data field and further process it.
```
» tshark -r orig.pcap -Tfields -e data | xxd -r -p > flag.zip
» 7z x -so -ppassword flag.zip | base64 -d
ENO{AN0TH3R_TUNN3L_AN0THER_CHALL}
```
