Context

This is the official writeup for the HellCorp 1 challenge from the Hackfest 2021 Casual and Competitive CTFs.

Challenge

Understanding the Capture File

1. Looking at the .cap file in Wireshark, we quickly see that it is composed of 802.11 frames which means that we are facing a wireless capture. Let's take a closer look at it...
2. In the first frame, for example, we see that it is a Beacon frame sent by an access point named HellCorp WiFi. If we analyze this frame a bit more, we see that the Privacy bit is set to 1, which means the access point supports WEP encryption.

3. Just to verify that it is indeed a WEP encrypted capture, we can take a look at the Wireless tab, then WLAN Traffic.

Cracking the WEP Key

4. Now that we know this is a WEP encrypted capture, let's send it to aircrack-ng and try to crack the WEP key
Copy

aircrack-ng hellcorp_1.cap



We just found the WEP key : h3!!C

Decrypting the Traffic

5. Back to Wireshark, we can import our newly acquired key to decrypt the capture. Edit > Preferences > Protocols > IEE 802.11 > Decryption keys > Edit and enter the WEP key in hexadecimals.
6. Now that Wireshark decrypted the traffic for us, let's see if there's anything interesting in here... Using this filter : !arp and (wlan.fc.type == 2) and !(wlan.fc.type_subtype == 36) and !(wlan.fc.type_subtype == 44)to filter out ARP requests and management frames, we see a HTTP communication between 192.168.0.100 and 192.168.0.101.

7. Let's clean this up by keeping only http frames.

8. Going through the different frames, we see a POST request sent to /login which contains a clear text password which is our first flag 🚩 of this mini track 🙂.

Bonus Step !

9. There is a small teaser in the last HTTP response (frame no. 11178)


In HellCorp 2, we will need to access the page /how-to-escape-from-hell...