Disclose The Agent - A LetsDefend Challenge

Hi there! In order to properly inaugurate this page, we’ll be disclosing the agent — A LetsDefend Challenge.

Figure 01: Original challenge from: https://app.letsdefend.io/challenge/disclose-the-agent/

Summary

We reached the data of an agent leaking information. You have to disclose the agent.

Log file: Download
Pass: 321

Note: pcap file found public resources.

Information we should find

1. secret boyfriend’s email address.
2. Ann’s email password.
3. the secret file Ann sent to her secret lover.
4. the location where Ann will meet her secret lover.
5. MD5 hash of the file Ann provided to her lover.

Observations

If you plan on doing the LetsDefend challenge, I strongly recommend trying to do it by yourself before reading!

Walkthrough

First step was to open the PCAP file in a network protocol analyzer, for this task I’ll be using Wireshark so we can better analyze the traffic data.

Having in mind that our first goal is to find a secret e-mail address, we can start by searching for the SMTP (Simple Mail Transfer Protocol) on Wireshark.

Figure 02: Wireshark SMTP Filter

Looking at the traffic data, we can already detect some valuable information:

• There was a parameter request for user authentication (Request Parameter: LOGIN);
• EHLO annlaptop - Possible name of the machine of which was requested the user authentication;
• User: c25lYWt5ZzMza0Bhb2wuY29t (Base64 Cryptographed username);
• Pass: NTU4cjAwbHo= (Base64 Cyptographed password).

Assuming this is Ann’s computer (EHLO annlaptop), we could find her credentials by decoding her username and password values.

There are many online decoder tools we could use to decode a specific line of cryptography, for this instance we’ll be using Code Beautify to get both username and password.

Figure 03: Ann’s username (e-mail)

Figure 04: Ann’s Password

Now that we have Ann’s credentials, we should analyze if we can find more information about her e-mail changes.

Figure 05: Wireshark SMTP Protocol

In the highlighted line, it’s possible to find the body of an e-mail message, that could be the person Ann has been trading e-mails with.

Figure 06: Wireshark - E-mail

Looking at the rest of the packet there’s more suggestive messages that indicates that this person could be Ann’s secret lover.

Figure 07: Wireshark - Messages

We can also find an attachment file at the end of the message.

Figure 08: Wireshark - File Name

By following the TPC stream and going back to the attachment information inside of the e-mail, we can find the code of the file, which according to the content-transfer, is encoded in base64.

Figure 09: Wireshark - TCP Stream

In order to extract the file, we can take the code and put it into a decoder tool.

Fire 10: Base64 to File - Base64 Guru

Opening the file “application.docx” we have the place where Ann wants to meet.

Figure 11: application.docx

Once you have the file, you can open the terminal and check out its MD5 hash by using the command certutil.

Figure 12: application.docx MD5 Hash

That way the challenge is completed! Thank you for reading.