UofTCTF 2024

forensics/Illusion Writeup

We’re given a PCAP file with a lot of traffic to and from one IP address. Looking into it, it’s mainly HTTP traffic, with some calls to a cloned Google.com page, and a GET request for an image. The requests to the images caught my interest, as they don’t return any image data, just a 200 OK.

Wireshark traffic
The GUID string looks like base64, but doesn’t decode to anything.

After a bit of Googling I came across this Medium blog discussing the TrevorC2 framework. It mentions how the C2 clones a site like Google.com and sends data via /images?guid=.... Here’s the config from the C2 server:

URL = ("https://www.google.com")
USER_AGENT = ("User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko")
ROOT_PATH_QUERY = ("/")
SITE_PATH_QUERY = ("/images")
QUERY_STRING = ("guid=")
COOKIE_SESSIONID_STRING = ("sessionid")
COOKIE_SESSIONID_LENGTH = (15)
STUB = ("oldcss=")
SSL = False
CERT_FILE = ("")
CIPHER = ("Tr3v0rC2R0x@nd1s@w350m3#TrevorForget")
NOTFOUND=("Page not found.")
REDIRECT =("ON")

This all matches the PCAP, so it’s likely TrevorC2 is being used.

From the source code, to decode the data:

def __init__(self, key):
    self.bs = 16
    self.key = hashlib.sha256(AESCipher.str_to_bytes(key)).digest()

def decrypt(self, enc):
    enc = base64.b64decode(enc)
    iv = enc[:AES.block_size]
    cipher = AES.new(self.key, AES.MODE_CBC, iv)
    return self._unpad(cipher.decrypt(enc[AES.block_size:])).decode('utf-8')

The IV is the first 16 bytes, and the AES key is SHA256 of Tr3v0rC2R0x@nd1s@w350m3#TrevorForget.

In CyberChef, we needed two base64 decodes before the AES decryption. Likely due to client-side base64 encoding before HTTP transmission. No flag was in the exfiltrated data, but we saw that a flag.txt was created and a reverse shell established.

CyberchefRecipe