DoD Cyber Sentinel May 2024 - Summary Write-up

This CTF was difficult. I ran into a lot of walls when doing some of the challenges. To start with I went into OSINT as generally being the easier one. The OSINT challenge brought on a new aspect of what type of OSINT information to look for. Normally we get a location or what 3 words for the challenge. This one asked for the prospects MAC of the WIFI you were on. The challenge was called 'Have you been here before.' The challenge came with a picture of a cafe that I narrowed down to 'PAUL a French Cafe' Frank Square in DC with an address. After that you have to figure out the how to get the WiFi to which I went to find Xfinity free access map. That lead me to finding a map of all the WIFI signals that exist and locate to a sort of heat map but also have all the latest collection of signals or sign-ons received onto the internet on www.wigle.net. From there I found a connection near to where the picture was taken and clicked on it, viola, MAC address available. Entered into the CTF and got it.

Time was short for this challenge which makes it more high pressure. I took a look at OSINT challenge Targeting and moved on to try to solve some other challenges. With Targeting we got two pictures of what looks like a hanger with Jets that I narrowed down to Panavia Tornado HSR jet in white color.

I came onto *Ephemeral* in Networking & Recon category. Another interesting one. This one required finding a flag in an open port. Right away I did some recon on the given 34.31.144.172 IP address. Started with the basics of doing a *whois* look up, any research I could online. I finally started running *nmap* commands such as *nmap -sV -sS* *nmap -sA* *nmap -sU* . The -sU option brought us to a port that said unknown but open tcp port # 51147. This was the port we needed, I SSH'd into the port and received a flag.

Moving into *Header Hinterlands* in Networking & Recon. This was a wild rabbit hole that had files within files of files. The main gist is that there is some sort of malicious code in an index.html file that was pulled from their server apart of a webpage that is saved to a docker instance. Took some time but I finally figured out I can extract the blobs that were given within the .tar file and those blobs each had various documents. I hit a wall with this challenge after looking through almost every single directory of hash numbered files that each had directories and headers and content in then. The hint that I paid for said Headers can have other names too. Will find out exactly where to look for this one.

I also gave a try on Tangled Certs which came as a PCAP file. All of the content in this file were decrypted other than names of what was moving between device and server. I looked at some certificates being passed between such as what looked like an amazon certificate that looked out of place along with pulling a gts1c3 and r3.0.lencr certificate to no avail. Time was short and without some extensive research I wasn't going to solve this and moved on. I believe the question I would need to look for is what to look for when a "mole" is communicating with another actor within the network through a pcap file capture and how to locate the that certificate or capture that will designate a flag for us.

The next challenge I looked at was printer in WebApp Exploitation. This one it too Burpsuite however the challenge looks like it was actually a /robot.txt extension which we could further dig for a notes.txt file which had the flags in them.

Next up in Forensics was *Filing Problem*. This one I tried to figure out how to find the flag ran the usual commands such as exiftool, cat with less, strings. Nothing popped up for that. A very simple solution I later after the CTF ended found out that we can change the file to a .pdf extension then send it to Firefox and open it there. We see blacked out letterings, flag is in there after highlighting the blacked out. We can select all, copy and paste into a word file from the pdf file and flag and all other text comes up on word. It goes to show over complicating anything makes it harder.

Exfil I took the pcap to a new tool called 'network miner.' After discovering the capture was encrypted. Miner showed three possible packets that were possibly doing ARP spoofing. From here I did not know how to extract the information or flag needed looking up and down through each layer of Wireshark's breakdown. Have the md5 hash for the capture from network miner however I am not sure if that is what decrypts the packet. Ran into a wall here because I had no idea what to next.

This was the gist of what I got to look at in the 8 hours we had to solve. I will be working my way through the challanges and files I have to be able to get more practice and see what I did wrong.