Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Tree: b6da6ecfdf

Fetching latest commit…

Cannot retrieve the latest commit at this time

..
Failed to load latest commit information.
source
7.dll
README.TXT
trojan_capture.pcap

README.TXT

 ___      _      _            _   _ 
/ __|_ __(_)_ _ | |   ___  __| |_| |
\__ \ '_ \ | ' \| |__/ _ \/ _| / /_|
|___/ .__/_|_||_|____\___/\__|_\_(_)
    |_|                             
        CHALLENGE #7
            700pts

...oooOOO Backstory OOOooo...

    You were contacted by a worried system administrator.
He noticed about 2 weeks ago that someone had compromised
one of his domain controllers. He began monitoring suspicious
traffic going in and out of the machine. He noted that
all the suspicious traffic was on TCP port 7777. When
he attempted to connect back to the attackers machine
late one night, he noticed a flurry of activity on the 
domain controller and then the attacker was gone.
All that is left is a excerpt of traffic captures which 
he has provided to you, and a single dll which you suspect
contains the encryption and decryption routines for 
the network communication of the trojan.

When viewing the suspicious dll in a tool like PEView
or Depends.exe you notice that it exports 5 functions:
    Tumbler1
    Tumbler2
    Tumbler3
    Tumbler4 
    and 
    Tumbler5
You suspect that (like a lock) these Tumblers must be strung together
to properly encrypt and decrypt data.


...oooOOO CTF Task OOOooo...
Using the dll provided, and the traffic provided in the packet capture,
decrypt the "ciphertext" to determine what happened on the wire when
the trojan was active. Who knows, maybe there is even a flag in there! :-)

*HINT*: 
    One of your co-workers reversed enough of the dll to determine
that each tumbler took exactly one argument, a pointer to a character buffer.
"With that info" (he said before leaving for vacation) "you can probably just
write a loader or something..."

Something went wrong with that request. Please try again.