Problem:
We suspect Hillary has been smuggling her emails over the border using some kind of underground passageway. Find out where she's hiding them and what secrets they contain
We were given pcap file like this.
There were over 40000 packets of DNS protocol,and when we noticed that there were strange string in the query.
In the picture above, blue part is a query of DNS, and you see the strange substring in the prefix of domain name.
vaaaakawdaq.hillary.clinton.io yrbqyg.hillary.clinton.io
all packets were like this, so we thought that there were information inside.
We used scapy to extract domain name out of DNS query.
Our script was like this:
import scapy a=rdpcap("hillary.pcap") for i in range(len(a)): if (a[i]["Ether"].src=="192.168.175.150" and len(a[i]["DNSRQ"].qname)!=0) : res.append(a[i]["DNSRQ"].qname)
Results:
00000000 79 72 62 71 79 64 76 61 61 61 61 6b 61 77 64 61 |yrbqydvaaaakawda| 00000010 71 6c 61 64 69 78 76 79 70 78 68 35 7a 32 70 76 |qladixvypxh5z2pv| 00000020 78 6d 34 72 73 70 6b 64 31 6a 75 70 73 6d 67 62 |xm4rspkd1jupsmgb| 00000030 69 79 72 62 71 79 67 7a 71 79 68 61 41 2d 41 61 |iyrbqygzqyhaA-Aa| 00000040 61 68 68 68 2d 44 72 69 6e 6b 2d 6d 61 6c 2d 65 |ahhh-Drink-mal-e| 00000050 69 6e 2d 4a e4 67 65 72 6d 65 69 73 74 65 72 2d |in-J.germeister-| 00000060 7a 71 79 69 61 41 2d 4c 61 2d 66 6c fb 74 65 2d |zqyiaA-La-fl.te-| 00000070 6e 61 ef 76 65 2d 66 72 61 6e e7 61 69 73 65 2d |na.ve-fran.aise-| 00000080 65 73 74 2d 72 65 74 69 72 e9 2d e0 2d 43 72 e8 |est-retir.-.-Cr.| 00000090 74 65 7a 71 79 6a 61 41 62 42 63 43 64 44 65 45 |tezqyjaAbBcCdDeE| 000000a0 66 46 67 47 68 48 69 49 6a 4a 6b 4b 6c 4c 6d 4d |fFgGhHiIjJkKlLmM| 000000b0 6e 4e 6f 4f 70 50 71 51 72 52 73 53 74 54 75 55 |nNoOpPqQrRsStTuU| 000000c0 76 56 77 57 78 58 79 59 7a 5a 7a 71 79 6b 61 41 |vVwWxXyYzZzqykaA| 000000d0 30 31 32 33 34 35 36 37 38 39 bc bd be bf c0 c1 |0123456789......| 000000e0 c2 c3 c4 .....(continue)
Here, we noticed that there are readable string "Drink-mal-ein" so we googled it and hit the write up.
blog.stalkr.net
We noticed that this problem is very similar to the problem we are solving, so we did as they had done.
We used encoder.c(http://stalkr.net/files/hack.lu/2010/9/encoder.c) and uncompress.c(http://stalkr.net/files/hack.lu/2010/9/uncompress.c). When compiling uncompress.c, we had to add compile option like this
gcc uncompress.c -lz
We compiled those two and used the python script below.
# Extract iodine DNS tunnel data # -- StalkR from scapy.all import * from subprocess import Popen,PIPE input, output = "hillary.pcap", "extracted.pcap" topdomain = ".hillary.clinton.io." upstream_encoding = 128 # and no downstream encoding (type NULL) # see encoder.c def encoder(base,encode="",decode=""): # base=[32,64,128] p = Popen(["./encoder", str(base), "e" if len(encode)>0 else "d"], stdin=PIPE, stdout=PIPE) p.stdin.write(encode if len(encode)>0 else decode) return p.communicate()[0] # see uncompress.c def uncompress(s): p = Popen(["./uncompress"], stdin=PIPE, stdout=PIPE) p.stdin.write(s) if p.wait() == 0: return p.communicate()[0] else: return False def b32_8to5(a): return "abcdefghijklmnopqrstuvwxyz012345".find(a.lower()) def up_header(p): return { "userid": int(p[0],16), "up_seq": (b32_8to5(p[1]) >> 2) & 7, "up_frag": ((b32_8to5(p[1]) & 3) << 2) | ((b32_8to5(p[2]) >> 3) & 3), "dn_seq": (b32_8to5(p[2]) & 7), "dn_frag": b32_8to5(p[3]) >> 1, "lastfrag": b32_8to5(p[3]) & 1 } def dn_header(p): return { "compress": ord(p[0]) >> 7, "up_seq": (ord(p[0]) >> 4) & 7, "up_frag": ord(p[0]) & 15, "dn_seq": (ord(p[1]) >> 1) & 15, "dn_frag": (ord(p[1]) >> 5) & 7, "lastfrag": ord(p[1]) & 1, } # Extract packets from DNS tunnel # Note: handles fragmentation, but not packet reordering (sequence numbers) p = rdpcap(input) dn_pkt, up_pkt = '', '' datasent = False E = [] for i in range(len(p)): if not p[i].haslayer(DNS): continue if DNSQR in p[i]: if DNSRR in p[i] and len(p[i][DNSRR].rdata)>0: # downstream/server d = p[i][DNSRR].rdata if datasent: # real data and no longer codec/fragment checks dn_pkt += d[2:] if dn_header(d)['lastfrag'] and len(dn_pkt)>0: u = uncompress(dn_pkt) if not u: dn_pkt='' continue raise Exception("Error dn_pkt %i: %r" % (i,dn_pkt)) E += [IP(u[4:])] dn_pkt = '' else: # upstream/client d = p[i][DNSQR].qname if d[0].lower() in "0123456789abcdef": datasent = True up_pkt += d[5:-len(topdomain)].replace(".","") if up_header(d)['lastfrag'] and len(up_pkt)>0: u = uncompress(encoder(upstream_encoding,decode=up_pkt)) if not u: raise Exception("Error up_pkt %i: %r" % (i,up_pkt)) E += [IP(u[4:])] up_pkt = '' wrpcap(output, E) print "Successfully extracted %i packets into %s" % (len(E), output)
We slightly changed the script from the original one, because otherwise it stopped with Error.
It took over an hour to run this script, then it gave us extracted.pcap(you can download from here:
extracted.pcap - Google ドライブ
)
We run this code:
`--> strings extracted.pcap| grep -3 Welcome | less
and the results were like this:
-- Etrump Bpassword: V1 ^China ^Welcome, trump <;N@ Q4-7 4;O@ -- .9(6T >China n9(6T) eWelcome, trump n9(6c) 49(6d <IJ@ -- bernie zpassword: tH3_h4nDfUl_0n_top Welcome, bernie Q4-7 -- clinton Cpassword: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump WWelcome, clinton kNow, to access your emails, enter the SUPER SECRET PASSWORD: *uhhh....China? r+---------------------
From this, you can see that Trump's password is China, bernie's password is tH3_h4nDfUl_0n_top, and clinton's password is IAmGoingToBeTheNextPresidentAndIWillDestroyTrump.(Neither of those were flags)
extracted.pcap looked like this, and we noticed that it had access with 45.55.178.70.
so we accessed 45.55.178.70 as well.
--> nc 45.55.178.79 9999 ██╗ ██╗███████╗██╗ ██████╗ ██████╗ ███╗ ███╗███████╗ ████████╗ ██████╗ ██╗ ██╗██╗██╗ ██╗ █████╗ ██████╗ ██╗ ██╗███████╗ ██║ ██║██╔════╝██║ ██╔════╝██╔═══██╗████╗ ████║██╔════╝ ╚══██╔══╝██╔═══██╗ ██║ ██║██║██║ ██║ ██╔══██╗██╔══██╗╚██╗ ██╔╝██╔════╝ ██║ █╗ ██║█████╗ ██║ ██║ ██║ ██║██╔████╔██║█████╗ ██║ ██║ ██║ ███████║██║██║ ██║ ███████║██████╔╝ ╚████╔╝ ███████╗ ██║███╗██║██╔══╝ ██║ ██║ ██║ ██║██║╚██╔╝██║██╔══╝ ██║ ██║ ██║ ██╔══██║██║██║ ██║ ██╔══██║██╔══██╗ ╚██╔╝ ╚════██║ ╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗ ██║ ╚██████╔╝ ██║ ██║██║███████╗███████╗██║ ██║██║ ██║ ██║ ███████║ ╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚══════╝ _ _ _ (_) (_) (_) <___> <___> <___> | |______ | |______ | |______ | |* * * ) | |* * * ) | |* * * ) | | * * (_________ | | * * (_________ | | * * (_________ | |* * * |* *|####) | |* * * |* *|####) | |* * * |* *|####) | | * * *| * | (________________ | | * * *| * | (________________ | | * * *| * | (________________ | |* * * |* *|####|##############| | |* * * |* *|####|##############| | |* * * |* *|####|##############| | | * * *| * | | | | | * * *| * | | | | | * * *| * | | | | |* * * |* *|####|##############| | |* * * |* *|####|##############| | |* * * |* *|####|##############| | |~~~~~~| * | | | | |~~~~~~| * | | | | |~~~~~~| * | | | | |######|* *|####|##############| | |######|* *|####|##############| | |######|* *|####|##############| | | |~~~' | | | | |~~~' | | | | |~~~' | | | |######|########|##############| | |######|########|##############| | |######|########|##############| | | | | | | | | | | | | | | | | |######|########|##############| | |######|########|##############| | |######|########|##############| | |~~~~~~| | | | |~~~~~~| | | | |~~~~~~| | | | | |########|##############| | | |########|##############| | | |########|##############| | | '~~~~~~~~| | | | '~~~~~~~~| | | | '~~~~~~~~| | | | |##############| | | |##############| | | |##############| | | '~~~~~~~~~~~~~~~ | | '~~~~~~~~~~~~~~~ | | '~~~~~~~~~~~~~~~ | | | | | | | | | | | | | | | | | | ██████╗ ██████╗ ██╗██╗ ██╗ █████╗ ████████╗███████╗ ███████╗███╗ ███╗ █████╗ ██╗██╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗ ██╔══██╗██╔══██╗██║██║ ██║██╔══██╗╚══██╔══╝██╔════╝ ██╔════╝████╗ ████║██╔══██╗██║██║ ██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗ ██████╔╝██████╔╝██║██║ ██║███████║ ██║ █████╗ █████╗ ██╔████╔██║███████║██║██║ ███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝ ██╔═══╝ ██╔══██╗██║╚██╗ ██╔╝██╔══██║ ██║ ██╔══╝ ██╔══╝ ██║╚██╔╝██║██╔══██║██║██║ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗ ██║ ██║ ██║██║ ╚████╔╝ ██║ ██║ ██║ ███████╗ ███████╗██║ ╚═╝ ██║██║ ██║██║███████╗ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝ ╚══════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚══════╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ +-----------------------------+ | !!! WARNING !!! | | SYSTEM HAS BEEN LOCKED DOWN | | NON-ADMIN USERS ARE | | NOW DISABLED | +-----------------------------+ login:
BINGO!!
We logged in with user:clinton pass:IAmGoingToBeTheNextPresidentAndIWillDestroyTrump, and we got 400MB of email dump.
(You can download email dump from here:dump - Google ドライブ)
We changed extension to .pst , and opened it with Outlook.
After a long time staring at email, we noticed the year of the email were strange....
For example if the date was 2095/03/10, we saw 95 as decimal and converted into ascii string and...
Finally got the FLAG!!!!