kNOCk kNOCk | QU35T blog

Challenge Overview

The provided file is a dump of a network capture, which we can analyze using Wireshark.

➜ file kNOCk_kNOCk

kNOCk kNOCk: pcapng capture file - version 1.0

Wireshark allows us to display the hierarchy of protocols present in the pcap file (Statistics -> Protocol Hierarchy). We can see that most of the exchanges are TCP.

Protocol

We can also display the objects that were transferred during the HTTP exchanges.

File -> Export Objects -> HTTP

HTTP Objects

We can see that a file named MalPack.deb was downloaded from IP address 192.168.157.195 and port 8080. This file is a package for Debian Linux. A Linux package is like a big archive. It contains source files that will be executed during the package installation.

One non-recommended method is to install the package directly :

➜ dpkg -i MalPack.deb

(Reading database ... 185144 files and directories currently installed.)
Preparing to unpack MalPack.deb ...
Unpacking notamalware (1.0) over (1.0) ...
Setting up notamalware (1.0) ...

A file named simplescript.sh will then be created on the system, and we just need to execute it.

➜  /usr/local/bin/simplescript.sh

PWNME{P4ck4g3_1s_g00d_ID}

The recommended method is to retrieve the sources of the package. We can use the ar command to extract the contents.

➜ ar x MalPack.deb

control.tar.xz  data.tar.xz  debian-binary  MalPack.deb

Then, we can extract the following archives.

➜ xz -d data.tar.xz
➜ xz -d control.tar.xz
➜ tar -xvf data.tar

./
./usr/
./usr/local/
./usr/local/bin/
./usr/local/bin/simplescript.sh

We will obtain the simplescript.sh script.

➜ cat ./usr/local/bin/simplescript.sh

#!/bin/bash

echo "PWNME{P4ck4g3_1s_g00d_ID}"

PWNME{P4ck4g3_1s_g00d_ID}