247CTF - Commutative Payload

We have a honey pot running on one of our internal networks. We received an alert today that the machine was compromised, but we can’t figure out what the attacker did. Can you find the flag hidden in the attacker's payload?

我们在内部网络中运行了一个蜜罐。今天我们收到警报，显示该机器已被入侵，但我们无法确定攻击者做了什么。你能找到隐藏在攻击者有效载荷中的 flag 吗？

Network Traffic

The provided logs show SMB (Server Message Block) traffic on port 445 (microsoft_ds). The sequence of SMBNegotiate_Request and SMB2_Negotiate_Protocol_Request suggests an attempt to exploit an SMB vulnerability.

0001 Ether / IP / TCP 192.168.10.168:microsoft_ds > 10.0.5.15:42799 SA / Padding
0003 Ether / IP / TCP 10.0.5.15:42799 > 192.168.10.168:microsoft_ds PA / NBTSession / SMB_Header / SMBNegotiate_Request
...
0203 Ether / IP / TCP 10.0.5.15:43947 > 192.168.10.168:microsoft_ds PA / NBTSession / SMB2_Header / SMB2_Negotiate_Protocol_Request / Raw

Payload Extraction

Following the TCP stream and exporting the raw data with Wireshark, we get the following hex dump:

❯ xxd a.raw
...
00000270: 0031 c941 e201 c3b9 8200 00c0 0f32 48bb  .1.A........2H..
00000280: f80f d0ff ffff ffff 8953 0489 0348 8d05  .........S...H..
00000290: 0a00 0000 4889 c248 c1ea 200f 30c3 0f01  ....H..H.. .0...
000002a0: f865 4889 2425 1000 0000 6548 8b24 25a8  .eH.$%....eH.$%.
...
000007c0: 4d55 9dce ebc1 2620 2357 4052 6f23 7627  MU....& #W@Ro#v'
000007d0: 2226 2277 7027 2122 232c 2075 2523 752d  "&"wp'!"#, u%#u-
...

The challenge name "Commutative Payload" hints at a commutative operation like XOR used for obfuscation.

Solution

1. Extract Data: Save the raw payload from the Wireshark TCP stream.
2. CyberChef Analysis:
   • Use the XOR Brute Force operation.
   • Sample length: 10000.
   • Crib: 247CTF (knowing the flag format).
3. Identification: When testing a key length of 2, the key 14 14 (effectively a 1-byte XOR with 0x14) decrypts the payload to reveal the flag.

Flag

247CTF{7b3626cd356784a17a9e49447356f229}