Sunday, January 10, 2016

SANS Holiday Challenge Walkthrough part 1

I missed was traveling with my family over Christmas and New Years and didn't have a chance to post these yet, this is part 1 of the 2015 SANS Holiday Challenge. This year SANS released an entire 8 bit game which places you in the Dosis neighborhood where you solve a series of challenges.

After getting the pcap from Josh Dosis, opening it up in Wireshark gives us:




Going to Statistics>Protocol Hierarchy show that many of the packets are DNS.

Filtering the pcap to only show DNS reveals that it is all TXT requests. DNS TXT records are used to store extra information about a host, but they are also a covert way to transfer data-eg DNS tunneling. One of the more popular tools to do this is iodine. 

Inspecting the hex dump of the packet, it seems that the part of the TXT record we're interested in is Base64 decoded, as shown by the double =. 

SANS provides a python script which you are intended to modify to pull out the payload, but tshark will do it easily:

tshark -T fields -Y dns -e dns.txt -r gnome.pcap |  while read txt; do echo $txt | base64 -d; done



The first question was "what commands were sent across the gnomes C&C channel." The answer to that is evident in the first several lines of the output here: The commands executed were "iwconfig" and "cat /tmp/iwlistscan.txt"

Farther down, the output dissolves into unprintable characters. But just before that it says that the file "/root/Pictures/snapshot_CURRENT.jpg" was being transferred. So now we need to carve the jpg out.  A simple "binwalk -e output" extracts the jpg giving us: 

Which is the answer to the second question, "What image appears in the file sent across the C&C by the Dosis gnome."

f3n3s7ra



No comments:

Post a Comment