Denominate
Introduction
This challenge was provided from HackTheBox for BSides London 2021. It’s a forensics challenge, we’ve given a packet file and asked to find out what the attacker did inside the network.
Baby steps
Download and verify the zip and pcap, and load the latter into wireshark. I had some initial trouble due to wireshark not being configured to include RTP (Real-Time Transport Protocol) over UDP by default (Analyze -> Enabled Protocols) It’s an easy enough setting to change, if you know to look for it.
Going into Telephony -> RTP streams, we have two streams. One appears to be some sort of voicemail service, prompting for a password. The other includes the dial tones we want, encoded with g722.
A quick lookup of DTMF (dual-tone multi-frequency) yields the following matrix: each pair of tones encodes a number or character.
Frequency (Hz)
1209 1336 1477 1633
697 1 2 3 A
770 4 5 6 B
852 7 8 9 C
941 * 0 # D
Unfortunately, these don’t map to musical notes particularly well, at least not with standard tune.
So, you can obtain the key by a) having a good ear and experience, b) exporting the audio stream and doing a Fourier Transform of each tone.
I’m going to be honest, I did c): found and used a dtmf decoder app, holding my phone up to the laptop speakers.
With some repeat experimentation (’-’ signifies a missed tone):
19713#
1-71-#
1971--
1971-#
1971-#
19713#
1971-#
1971-#
1971-#
19713#
-971--
1-71--
1971--
1971-#
19713#
1971-#
Since the last digit was tricky, I confirmed with audacity (aka method b)) the presence of 697 Hz and 1477 Hz peaks, aka 3. One assumes 19713 is the password, with hash as the control character. Whether that’s the attacker or a hapless victim being phished, we don’t know - both IPs are internal, but that doesn’t say much either way.
Flag = HTB{19713}