Rating:

# KEBAB STO
We start with kebabsto.pcapng, so our first step is to open it in Wireshark.

From TCP stream 5 we see two huge hints:
1) "The name of the file begins with "kd"
and
2) "they also found a service at mydomainndh.ndh (port 55555) which decrypts every text encrypted with the public key, apart from the interesting one"
## Part 1:
In TCP stream 11 we can see that there is a file being got "GET /kdsqfkpdsdf"

Try to export HTML file:

We save it, and it's a zip file

file kdsqfkpdsdf
kdsqfkpdsdf: Zip archive data, at least v2.0 to extract


When we unzip it, it's another capture file


file lkdjflknezcz
lkdjflknezcz: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)


Going through this dump we see it's 802.11 so we can't actually see what the packets are...
We have a full 4 way handshake

and the SSID: "wifiAccess" from packet 761/765... etc.

So let's do some aircrack-ng with the rockyou password list...


aircrack-ng lkdjflknezcz -w ../rockyou.txt
Opening lkdjflknezcz

# BSSID ESSID Encryption

1 F0:D7:AA:77:BD:46 wifiAccess WPA (1 handshake)

Choosing first network as target.

Opening lkdjflknezcz

Aircrack-ng 1.2 rc4

[00:00:00] 612/7120714 keys tested (2478.91 k/s)

Time left: 47 minutes, 53 seconds 0.01%

KEY FOUND! [ abcdefgh ]

Master Key : 46 DE 68 77 59 26 52 28 68 59 E3 E9 27 C2 75 66
77 A0 C0 C2 59 7C B7 6A 52 06 A3 B8 5D 7F 33 29

Transient Key : C8 2A 89 4B 43 93 57 73 35 B7 9E 21 99 8A 5A F2
B6 89 B8 10 F6 AF 77 68 A8 B4 69 E7 30 E4 A7 9B
88 32 93 FF AA B5 8E CE 9E AC 4A 05 05 0C EC BB
37 C9 12 11 5B DA 0C E9 D8 25 02 5E F3 D2 AA 4F

EAPOL HMAC : 76 32 AE BA 65 FD A2 64 BD FD 8E 76 BA 1F B7 84

It found the key very quick!!
So now we go into the 802.11 protocol settings: to add the decryption key:SSID (wifiAccess)
abcdefgh:wifiAccess

In packet 1292 there's another zip file, save as raw to "slkfdsfljkj"


unzip slkfdsfljkj
Archive: slkfdsfljkj


## Part 2
Time to go to #2!
2) "they also found a service at mydomainndh.ndh (port 55555) which decrypts every text encrypted with the public key, apart from the interesting one"
We use follow TCP stream of the FIRST .pcap (kebabsto.pcapng), we see a mail conversation and a file being sent.

In stream 13 we get the file "docs.zip"

AAAAAAQAAAAAUEsDBBQAAAAIALd5lUvQbcUR4wAAABABAAAPABwAZG9jcy9wdWJrZXkucGVt
bBESaKAHqBZant6f1Tve7bOsnyAmlG2OGXyhaJPg4vdZxp4StQc2QelEUvrhhBxDwDMAXMJA
iOCJJ7DhyI9Zy6iQHS91tfO3c1HK3dO8xEZeTcr/fNflBXHlicfbpSZjdOg7hL8EVolIUG76
7EwCoO/SC1yXVlHkyb7QrT1Kaqy79PU6d+71efRANYAgdtb6EGdi3T6oocl7YS5qPca3KRig
NxdAuW+lduwwS9WY0co4iWaxdat13Y5nqbC50BBwAI0/IWbhP/Q3UEsDBBQAAAAIAFZ6lUus
AAAAABWPyREAQQgC/xuNFwL5J7bOS6pstWWJTYxoe/3qYopgqq6OQruta0ieSC8nAmvPMGJU
dmics9wyyrkHpTRV0wVPZoYboT5GDCYmr+GHtrBhLuuGW4llFBXLTFgBbJPOEurBXQ6c0m1c
6/sBUEsBAh4DCgAAAAAAVnqVSwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAO1BAAAAAGRvY3Mv
cGhlclRleHRVVAUAA8PCO1p1eAsAAQQAAAAABAAAAABQSwUGAAAAAAMAAwD1AAAAVQIAAAAA


It's base64 encdoed ("Content-Transfer-Encoding: base64") I could have also decoded it in wireshark before but this works as well..

base64 -d < doc > docs.zip


unzip docs.zip

we get cipherText and pubkey.pem

The mydomain... is just the url from the challenge page: kebabsto.challs.malice.fr
There was an error in the file, the port is actually 8888 and not 55555

inputted the cipherText and got

Here is the cleartext of your input :

123360975347216093033775350245751721746535757669936

This output is the raw decryted value and the associated plaintext is easily retrievable :

python
>>> from binascii import unhexlify
>>> unhexlify(str(hex(123360975347216093033775350245751721746535757669936))[2:-1])
'Th1s1s2P@ss_W0rd%M0f0'


After this we just unzip slkfdsfljkj with the password and get the flag:

The flag is : ndh2k18{M4k3M4tr10cHKa9r34T4g41n}


Original writeup (https://github.com/PHSC138/writeups/blob/master/nuidt%20quals/kebabSTO/WRITEUP.md).