Incredibly Covert Malware Procedures

Collection of CTF writeups by Jeremy Heckt. If you have any questions or comments, feel free to drop an Issue on the Github repository.

Incredibly Covert Malware Procedures

Challenge Text

We got hacked! Can you see what they took? Download the file below.

Challenge Work

The pcap contains mainly some ICMP data. When we look at the first bit of data being sent via ICMP we immediately notice a PNG header:

0000   58 96 1d fa c2 b5 24 fd 52 7b 25 56 08 00 45 00   X.....$.R{.V..E.
0010   00 54 66 7d 40 00 40 01 41 ca c0 a8 08 72 c0 a8   .Tf}@.@.A....r..
0020   08 9f 08 00 ca cf 1b a2 00 01 7d c6 e7 5e 00 00   ..........}..^..
0030   00 00 95 14 00 00 00 00 00 00 89 50 4e 47 0d 0a   ...........PNG..
0040   1a 0a 00 00 00 0d 49 48 44 52 89 50 4e 47 0d 0a   ......IHDR.PNG..
0050   1a 0a 00 00 00 0d 49 48 44 52 89 50 4e 47 0d 0a   ......IHDR.PNG..
0060   1a 0a                                             ..

However, we also notice it is repeating…

First I exported the ICMP packets out of Wireshark into JSON via File > Export Packet Dissections > As JSON > Selected Packets Only. After this I extracted the data being sent, removing the responses:

import json
import binascii
from collections import OrderedDict 

json_file = json.loads(open("./pings.json", "r").read())

def clean_data(data):
    return data.replace(":","").upper()

text_list = []
data_list = []

for a in json_file:
    icmp_info = a["_source"]["layers"]["icmp"]
    raw_data_payload = clean_data(icmp_info["data"]["data.data"])
    payload_bytes = bytearray.fromhex(raw_data_payload)

    data_list.append(binascii.hexlify(payload_bytes))

new_data = list(OrderedDict.fromkeys(data_list))

print(f"data_list set is {len(new_data)} long") 
print(new_data)

After looking at the data I figured out the repetition scheme:

9514000000000000
89504e470d0a1a0a0000000d49484452
89504e470d0a1a0a0000000d49484452
89504e470d0a1a0a

82a8010000000000
0000036c0000005d0806000000d9a2e5
0000036c0000005d0806000000d9a2e5
0000036c0000005d

e6c5010000000000
c400000185694343504943432070726f
c400000185694343504943432070726f
c400000185694343

I adjusted accordingly, then made my extraction:

for i in new_data:
    with open("out.hex", "ab") as f:
        f.write(i[16:48])

hacked % cat out.hex | xxd -r -p > out.bin
hacked % file out.bin
out.bin: PNG image data, 876 x 93, 8-bit/color RGBA, non-interlaced
hacked % mv out.bin out.png

Now we have our flag:

out

I had to modify some of the output to get this site to work with Jekel…