[Official] HellCorp 2 Writeup

[Official] HellCorp 2 Writeup

Context

This is the official writeup for the HellCorp 2 challenge from the Hackfest 2021 Casual and Competitive CTFs.

Challenge

HellCorp_2.zip262.0KB

Understanding the Capture File

  1. Looking at the .pcap file in Wireshark, just like in HellCorp 1, we see that it is composed of 802.11 frames which means that we are, again, facing a wireless capture. Let's take a closer look at it...
  2. This time, if we take a closer look at the first frame, in the IEEE 802.11 QoS Data layer, we see a TKIP parameters field, which means the traffic is encrypted using WPA / WPA2
  3. image
  4. Knowing that, we can verify that we have a full 4-way handshake in the capture (otherwise we won't be able to crack the WPA key) by filtering for eapol packets.
  5. image

    Looks like we have 2 full 4-way handshakes which is more than enough for us to crack the WPA key.

Cracking the WPA key

  1. After reading the challenge description, we already have a wordlist (rockyou_hellcorp.txt) and we know that we need to reverse all the passwords.
  2. This can be done in many different ways, but I chose to use john the ripper with aircrack-ng by adding a new rule named HellCorp2 in john.conf to reverse all passwords.

    image

    We can then use john's --stdout argument and pipe it to aircrack-ng with -w - to specify that we want to use stdin as a wordlist.

    john --wordlist=rockyou_hellcorp.txt --rules=HellCorp2 --stdout | aircrack-ng -e "HellCorp WiFi" -w - hellcorp_2.pcap
    image

    We just found the WPA key : srekcahllehnitor

Decrypting the Traffic

  1. Back to Wireshark, we can import our newly acquired key to decrypt the capture. Edit > Preferences > Protocols > IEE 802.11 > Decryption keys > Edit and enter the WPA key in plain text as a wpa-pwd key.
  2. image
  3. Scrolling down, we see various TCP streams, we take a look at their content with left click on a TCP packet > Follow > TCP stream.
  4. We can then cycle through the streams by changing the stream number at the bottom left of the Follow TCP Stream window.

    While we iterate through the streams, we see some encrypted streams (stream 86 for example), which means they probably installed a TLS certificate.

    Continuing our research, we find an unencrypted TCP stream (stream 117).

    image

    At line 1, we see that it is a FTP communication. We also note that the client authenticated using the username autobackup and the password autobackup. The client then upload a file named wiki_autobackup.zip. It looks like the server hosting the wiki website sends an automatic backup to a backup server, let's see if we can access this backup.

  5. In the next TCP stream (stream 118), we notice some unencrypted test like migrations, migrations/.env, migrations/alembic.ini, etc. which indicates that it is probably that wiki_autobackup.zip file.
    1. We can extract it by

    2. Changing the Show data as option for Raw.
    3. Click Save as... and save it as wiki_autobackup.zip
  6. When we try to unzip it, we are asked to enter a password.
  7. image

    We can simply use the FTP client's password, autobackup.

    image
  8. Finally, we can navigate to app/templates/how_to_escape_from_hell.html to find the flag 🚩.