Global Cyberlympics Finals 2015 Write-up - Tracker.7z

Hi all,

It has been a while since I updated this blog. Just want to share one of the challenges my team solved at the Cyberlympics finals held in Washington DC, USA.

Tools used: wireshark, chaosreader, vncviewer, tightVNC, online QR code scanner.

We were given a zipped pcap file - tracker.7z and asked to analyse it as it contains some information about a meeting location for a suspect in the whole storyline. We were to get the location of the meeting.

Well, we loaded the pcap into wireshark to have a first look at it. Screenshot below:

From the screenshot above, one can notice the VNC protocol being used during the capture, probably the suspect communicated with a remote person via VNC. So we need to reassemble the VNC session and see if that gives us any valuable information. A tool of choice, or probably the only tool I know that can do this is Chaosreader  by Brendan G. Gregg.
 

An index.html file is generated after run with chaosreader. The reassembled VNC session file should be seen as one of the output and is in the VNC.replay format.


The reassembled VNC session is seen as session_0038.VNC.replay. To playback the file, execute the following in a Linux terminal:

$./session_0038.VNC.replay -p 9991 1

this should start up a VNC server on port 9991, then connect to it by executing the following command on another terminal:

$vncviewer -viewonly 127.0.0.1:9991

When asked for password, just press enter any key.

This starts up the VNC client and connect to the server for playback.
At first, we did not notice that as the video was about to end, the suspect opened a picture which contained a QR code, this happened really fast. We noticed it the second time and had to make the playback to be three times slower so we could capture the QR Code.

$./session_0038.VNC.replay -p 9991 0.3    -- play three times slower



We uploaded the QR code to https://webqr.com/ and got a link.


Clicking on the link led to a location on Google Maps.


 
Location: McCormick & Schmick's Seafood & Steaks  !!! Onto the next one :)

Comments

  1. Nice one. Learnt something new.

    ReplyDelete
  2. Pytha, nice tutorial.

    ReplyDelete
  3. So finally whats the answer ? Is it the name of the place we have to submit as a flag ? Isn't there any actual flag out there ?

    ReplyDelete

Post a Comment

Popular posts from this blog

Red Teaming with Covenant and Donut

Pentesting Android applications

Covenant Task 101 - PPID Spoof Example