Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents an Easy-level challenge focused on extracting information and files from PCAPs in Wireshark.
Challenge Overview #
Role Targeted: Security Analyst
Skill Level: Easy
Scenario #
We reached the data of an agent leaking information. You have to disclose the agent.
Log file: /root/Desktop/ChallengeFile/smtpchallenge.pcap
Note: pcap file found public resources.
PCAP Analysis #
Initial Thoughts #
“Interesting, based on the questions, we might have to carve files out of SMTP.”
Question-Based Analysis #
- What is the email address of Ann’s secret boyfriend?
- Following the TCP streams, we can flip through the streams. The first TCP stream is an email, but it doesn’t look like a conversation with a significant other. The second stream (
tcp.stream eq 1) DOES, though, specifically calling the other person “sweetheart”. - Based on that, the recipient is
[email protected]found underRCPT TO:.
- Following the TCP streams, we can flip through the streams. The first TCP stream is an email, but it doesn’t look like a conversation with a significant other. The second stream (
- What is Ann’s email password?
- Still in the
tcp.stream eq 1, we can find after the client prompts to login the server responds with base64 essentially asking for username then asking for password. The client responds in that order. So the 4th base64 in the list is the one we’re looking for. echo "NTU4cjAwbHo=" | base64 -d ; echogives us the answer:588r00lz
- Still in the
- What is the name of the file that Ann sent to his secret lover?
- Still in
tcp.stream eq 1, we can find this after the email body.filename="secretrendezvous.docx"
- Still in
- In what country will Ann meet with her secret lover?
- This information isn’t in the email body, so it’s probably in the attached document. Let’s extract it. We’ll “Save As” the TCP stream we’ve been analyzing into a file. I named mine
tcpstream1. - A quick look at it in
viby paging down a bit will lets us know that the first 77 lines are all SMTP data, and so is the last 7 lines. We can use a littleheadandtailtrickery to trim it. tail -n +78 tcpstream1 > tcpstream2Which tells tail to start at line 78, then go until the end of the file. We redirect the output into a new file.head -n -7 tcpstream2 > tcpstream3Which tells head to start from the top, but omit the last 7 lines. We redirect the output into a new file.- Finally we decode the base64!
base64 -d tcpstream3 > secretrendezvous.docx - I tried to
stringsthe document, but got little of use. So since this is in a lab machine, I just opened it. (not a mentality I’d recommend at home) and it turns out the country is located in a picture! It says they’re meeting at “Playa del Carmen” inMexico
- This information isn’t in the email body, so it’s probably in the attached document. Let’s extract it. We’ll “Save As” the TCP stream we’ve been analyzing into a file. I named mine
- What is the MD5 value of the attachment Ann sent?
- a quick
md5sum secretrendezvous.docxgives us:9e423e11db88f01bbff81172839e1923
- a quick
Summary #
| Questions | Answers |
|---|---|
| What is the email address of Ann’s secret boyfriend? | [email protected] |
| What is Ann’s email password? | 558r00lz |
| What is the name of the file that Ann sent to his secret lover? | secretrendezvous.docx |
| In what country will Ann meet with her secret lover? | mexico |
| What is the MD5 value of the attachment Ann sent? | 9e423e11db88f01bbff81172839e1923 |
Final Thoughts #
“Fun to use a little bash-fu to get the attachment!”
