# UIUCTF 2021 - CEO Writeup

CEO was a "misc" challenge during UIUCTF 2021 in which you need to inspect and gather creds from a .pcap file. It was rated as a "beginner" challenge in a CTF that was extremely challenging for myself, and forced me to dust off some serious CTF cob webs. While it's not a very glamorous chall, this writeup aims to simply note some of the techniques I used to get the flag. So with that said, let's jump in.

# The Prompt

Viewing the challenge, we're prompted with the following note.

chall
chall

Note: During the initial stages of the CTF, this sentence was not in the challenge prompt: "Wrap the password in the flag format." This led me down some rabbit holes that we'll see later.

# Initial Analysis

After downloading the .pcap and opening it in Wireshark, we can see there's quite a bit of traffic, mostly using the 802.11 protocol.

Wireshark
Wireshark

If we click Wireless > WLAN Traffic in Wireshark we can see that the SSID related to this captured traffic is: joesheer.

SSID
SSID

# Original Rabbit Hole

So as I mentioned earlier, the original challenge prompt was a little.... well a whole lot different. If you clicked the original hint it mentioned doing some OSINT on the CEO to get the Wi-fi password.

I did some research and found that if you know the password used in captured 802.11 traffic, you can enter the password and wireshark will decrypt it.

We can do this pretty easily by right clicking a captured 802.11 packet and hitting:

Protocol Preferences -> IEEE 802.11 Wireless LAN -> Decryption Keys...

Then create a new entry with the little plus at the bottom, select wpa-pwd as the key type, and enter the password in the key field.

decryption keys
decryption keys

Anyways, knowing this my train of thought for the challenge was:

  1. Get potential password from OSINT on the CEO
  2. Enter password in Wireshark
  3. Find key in decrypted traffic

Using the information we've gathered so far, we can find the CEO's twitter account pretty easily:

Google searching
Google searching

CEO twitter
CEO twitter

And this is where the rabbit hole begins. I spent more time than I'd like to admit searching through this account, his followers, who he's following... their tweets... all to no avail.

At a certain point I got desparate and wondered if I should just start guessing based on what he was talking about. After all it's a beginner challenge right?

Here's my original wordlist concocted from his tweets/rewteets:

~/Downloads/wifi:> $ cat fuckme.txt         
megacorpone
megacorp
nanotech
nanotechnology
nano-technology
MegaCorp_One
MegaCorp
DavidBeckham
USA
US
equestrian
horse
horses
soccer
football
manchesterunited
manu
manunited

I then manually entered each one into the Wireshark decryption keys section. While this didn't work, as you'll see later I actually wasn't far off.

# Flag

Some frustrated research later led me to realizing there's an alternate path to success.

Wi-fi traffic typically contains a 4-way handshake between a router and client.

We can easily view this handshake by using the eapol filter in Wireshark.

viewing eapol
viewing eapol

This essentially just means that the client and host have agreed to talk to eachother, and the traffic is encapsulated.

What this also means for us is that there's a valid WPA key (we already knew this but pretend you didn't) that we can crack.

# Cracking the password

To crack the captured handshake with Hashcat, we'll need to use cap2hccapx to get it into the hccapx format.

This most likely won't be in your path by default (if you're using Kali), but we can locate it pretty easily.

cap2hccapx
cap2hccapx

After that we just give it the .cap file and a name to write to:

Getting a hccapx
Getting a hccapx

We can then use Hashcat to crack it:

~/ctf/uiuctf_2021/misc/CEO:> $ hashcat -m 2500 hccapx-out /usr/share/wordlists/rockyou.txt --force

Now we can submit the flag! Except... well I didn't initially.

So I originally didn't realize that the Wi-Fi password was the actual flag.

I falsely assumed that you must use the password to decrypt the traffic then find the flag in some decrypted packet.

After aimlessly searching through packets, I noticed the challenge writeup was updated and submitted the flag I already had.

Done!

# Closing Thoughts

You might also notice that the cracked password was actually in my original manual wordlist from Twitter. I'll be honest I can't remember if I noticed that the traffic was decrypted with this password or not. This just added to the overall frustration of what should have been a really simple challenge. Oh well, still ended up learning something new.

Thanks for reading :)

Written by 0xAshh

# Hit me up