![[Official] HellCorp 2 Writeup](https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/be75dd74-3b4d-4e45-8e36-b8eb539ef8aa/2021-11-02_17_53_45-LogoHF13-2021.docx_-_Google_Docs_-_Brave/w=256,quality=90,fit=scale-down)
Context
This is the official writeup for the HellCorp 2 challenge from the Hackfest 2021 Casual and Competitive CTFs.
Challenge
Understanding the Capture File
- Looking at the .pcap file in Wireshark, just like in HellCorp 1, we see that it is composed of 802.11 frames which means that we are, again, facing a wireless capture. Let's take a closer look at it...
- This time, if we take a closer look at the first frame, in the
IEEE 802.11 QoS Datalayer, we see aTKIP parametersfield, which means the traffic is encrypted using WPA / WPA2 - Knowing that, we can verify that we have a full 4-way handshake in the capture (otherwise we won't be able to crack the WPA key) by filtering for
eapolpackets.
Looks like we have 2 full 4-way handshakes which is more than enough for us to crack the WPA key.
Cracking the WPA key
- After reading the challenge description, we already have a wordlist (
rockyou_hellcorp.txt) and we know that we need to reverse all the passwords.
This can be done in many different ways, but I chose to use john the ripper with aircrack-ng by adding a new rule named HellCorp2 in john.conf to reverse all passwords.
We can then use john's --stdout argument and pipe it to aircrack-ng with -w - to specify that we want to use stdin as a wordlist.
john --wordlist=rockyou_hellcorp.txt --rules=HellCorp2 --stdout | aircrack-ng -e "HellCorp WiFi" -w - hellcorp_2.pcap
We just found the WPA key : srekcahllehnitor
Decrypting the Traffic
- Back to Wireshark, we can import our newly acquired key to decrypt the capture.
Edit>Preferences>Protocols>IEE 802.11>Decryption keys>Editand enter the WPA key in plain text as awpa-pwdkey. - Scrolling down, we see various TCP streams, we take a look at their content with
left click on a TCP packet>Follow>TCP stream. - In the next TCP stream (stream 118), we notice some unencrypted test like
migrations,migrations/.env,migrations/alembic.ini, etc. which indicates that it is probably thatwiki_autobackup.zipfile. - Changing the
Show data asoption forRaw. - Click
Save as...and save it aswiki_autobackup.zip - When we try to unzip it, we are asked to enter a password.
- Finally, we can navigate to
app/templates/how_to_escape_from_hell.htmlto find the flag 🚩.
We can then cycle through the streams by changing the stream number at the bottom left of the Follow TCP Stream window.
While we iterate through the streams, we see some encrypted streams (stream 86 for example), which means they probably installed a TLS certificate.
Continuing our research, we find an unencrypted TCP stream (stream 117).
At line 1, we see that it is a FTP communication. We also note that the client authenticated using the username autobackup and the password autobackup. The client then upload a file named wiki_autobackup.zip. It looks like the server hosting the wiki website sends an automatic backup to a backup server, let's see if we can access this backup.
We can extract it by
We can simply use the FTP client's password, autobackup.
