Context

This is the official writeup for the HellCorp 1 challenge from the Hackfest 2021 Casual and Competitive CTFs.

Challenge

Looking at the .cap file in Wireshark, we quickly see that it is composed of 802.11 frames which means that we are facing a wireless capture. Let's take a closer look at it...
In the first frame, for example, we see that it is a Beacon frame sent by an access point named HellCorp WiFi. If we analyze this frame a bit more, we see that the Privacy bit is set to 1, which means the access point supports WEP encryption.

Just to verify that it is indeed a WEP encrypted capture, we can take a look at the Wireless tab, then WLAN Traffic.

Now that we know this is a WEP encrypted capture, let's send it to aircrack-ng and try to crack the WEP key

aircrack-ng hellcorp_1.cap

We just found the WEP key : h3!!C

Back to Wireshark, we can import our newly acquired key to decrypt the capture. Edit > Preferences > Protocols > IEE 802.11 > Decryption keys > Edit and enter the WEP key in hexadecimals.
Now that Wireshark decrypted the traffic for us, let's see if there's anything interesting in here... Using this filter : !arp and (wlan.fc.type == 2) and !(wlan.fc.type_subtype == 36) and !(wlan.fc.type_subtype == 44)to filter out ARP requests and management frames, we see a HTTP communication between 192.168.0.100 and 192.168.0.101.

Going through the different frames, we see a POST request sent to /login which contains a clear text password which is our first flag 🚩 of this mini track 🙂.

In HellCorp 2, we will need to access the page /how-to-escape-from-hell...

This is the official writeup for the HellCorp 1 challenge from the Hackfest 2021 Casual and Competitive CTFs.

Looking at the .cap file in Wireshark, we quickly see that it is composed of 802.11 frames which means that we are facing a wireless capture. Let's take a closer look at it...
In the first frame, for example, we see that it is a Beacon frame sent by an access point named HellCorp WiFi. If we analyze this frame a bit more, we see that the Privacy bit is set to 1, which means the access point supports WEP encryption.

Just to verify that it is indeed a WEP encrypted capture, we can take a look at the Wireless tab, then WLAN Traffic.

Now that we know this is a WEP encrypted capture, let's send it to aircrack-ng and try to crack the WEP key

aircrack-ng hellcorp_1.cap

We just found the WEP key : h3!!C

Back to Wireshark, we can import our newly acquired key to decrypt the capture. Edit > Preferences > Protocols > IEE 802.11 > Decryption keys > Edit and enter the WEP key in hexadecimals.
Now that Wireshark decrypted the traffic for us, let's see if there's anything interesting in here... Using this filter : !arp and (wlan.fc.type == 2) and !(wlan.fc.type_subtype == 36) and !(wlan.fc.type_subtype == 44)to filter out ARP requests and management frames, we see a HTTP communication between 192.168.0.100 and 192.168.0.101.

Going through the different frames, we see a POST request sent to /login which contains a clear text password which is our first flag 🚩 of this mini track 🙂.

In HellCorp 2, we will need to access the page /how-to-escape-from-hell...