From c3efbbb0e563a3a312494b3d0c637d7fee91a67d Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Wed, 14 Nov 2012 17:56:06 -0700 Subject: [PATCH] Document netarch category --- doc/2013-02-TF5/categories/netarch.txt | 121 +++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 doc/2013-02-TF5/categories/netarch.txt diff --git a/doc/2013-02-TF5/categories/netarch.txt b/doc/2013-02-TF5/categories/netarch.txt new file mode 100644 index 0000000..f0f0739 --- /dev/null +++ b/doc/2013-02-TF5/categories/netarch.txt @@ -0,0 +1,121 @@ +archaeology +=========== + +This is the network archaeology category. Puzzles center around pulling +something out of a pcap file. + +* Base64-encoded plaintext + +* Image in pcap of HTTP +* Image in pcap of SMTP +* Image in pcap of proto b +* Image in pcap of out-of-order proto b +* Image in pcap of out-of-order w/NAK proto b + +* Base64-encoded single-byte xor +* Base64-encoded 4-byte xor +* Base64-encoded 16-byte xor + +* Image in pcap of 1-byte xor out-of-order w/NAK w/filler proto c +* Image in pcap of proto d, plus a token in the text +* Image in pcap of proto e, token in the text, and token in zip file + + +proto b +------- + + 01 1 octet SOH + xxxx 2 octets chunk number (monotonically increasing) + xx 1 octet chunk length + ... <256 octets up to 255 bytes of data + xx 1 octet checksum (uint8 sum of all data bytes) + + 06 1 octet ACK + xxxx 2 octets chunk number + 00 1 octet length 0 + + 15 1 octet NAK + xxxx 2 octets chunk number + 00 1 octet length 0 + + 04 1 octet EOT + xxxx 2 octets chunk number + 00 1 octet length 0 + + +frob +---- + +* srand(0) +* xor each octet with rand() % argv[1] + + +proto c +------- + +all packets are xored with a per-session randomly-selected key + + offs len description + ---- ---- ----------- + 00 2 c0 0c + 02 2 packet length + 04 1 opcode + 05 1 00 + 06 data + + opcode desc data + ------ ---- --------- + 01 Hello hostname(cstring), 60 bytes random + 02 NOP ∅ + 04 Text Alice in Wonderland + 05 Image part# (2 octets) + data + + +proto d +------- + +all packets are xored with a per-packet randomly-selected key + + offs len description + ---- ---- ----------- + 00 1 00 + 01 1 opcode + 02 2 packet length + 04 2 sequence number + 06 data + + opcode desc data + ------ ---- --------- + 01 Hello hostname(cstring), 60 bytes random + 02 NOP ∅ + 04 Text Alice in Wonderland + 05 Image data + + +proto e +------- + +16-byte xor key, applied to entire packet + + offs len description + ---- ---- ----------- + 00 1 opcode + 01 1 compression type (0=none, 1=gzip) + 02 2 packet length + 04 2 sequence number + 06 data + + opcode desc data + ------ ---- --------- + 01 Hello hostname(cstring), 60 bytes random + 02 C2 interactive shell + 04 fopen 1:mode (0=read, 1=write) + 1:fd + n:path + 05 write 1:fd + 4:offset + n:data + 06 fclose 1:fd + 08 NOP ∅ + +