This challenge was solved by and the write up was written by one of my teammates, gym.
In this challenge we are provided with a pcap of a zsync transfer. Zsync is a file transfer program that allows you to download a file from a remote server, where you have a copy of an older version of the file on your computer already. Zsync downloads only the new parts of the file, and transfers them over HTTP.
The zsync headers are the following:
Each transfer contains the hash of the file and blocks that are being transferred. We can see that the SHA1 hash of the original file is:
Searching for this hash value we can find out that the original file is the Operation Potatoe viruses dropper (https://github.com/eset/malware-ioc/blob/master/potao/README.adoc). Some further search leads us to https://www.hybrid-analysis.com/sample/61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9?environmentId=4 where we can aquire the original sample.
At this point we can either examine the headers manually and restore the final file (each header contains the blocks and the number of bytes being transferred):
Or we can use the Xplico (http://www.xplico.org/) opensource network forensics tool to do this for us.
The final file is a windows binary with the modified dropper code, running it in a windows vm we receive an error message that prints the 32 bit hash value.
KT’s alternative, “facepalm” solution
Meanwhile gym solved the challenge, I searched for every SHA-1 in the pcap.
And at the last hash throw the following result: https://www.hybrid-analysis.com/sample/688a3ac91914609e387111e6382911ecd0aefe9f4f31bed85438b65af390cf6f?environmentId=1
And if I scrolled down to the middle of the page I saw the following screenshot:
I liked this part especially as this looked like exactly as a flag. :)
It was the flag of course. :D
First I thought maybe this was the intended solution, but then I saw the upload date and it was clear that somebody (probably an other team) uploaded the malware sample meanwhile the CTF, so it was a really facepalm moment for me. :)
And in spite of that the flag could be found this easily only a few team solved the challenge.
gym was not too happy when I told him that I just sent in the flag meanwhile he was working hard on solving the challenge :)