Torrent Analyze
Challenge
SOS, someone is torrenting on our network. One of your colleagues has been using torrent to download some files on the company’s network. Can you identify the file(s) that were downloaded? The file name will be the flag, like picoCTF{filename}. Captured traffic (Archive).
Solution
Opening the file in Wireshark we see some TLS, TCP, DNS, and UDP connections. DNS requests are made to torrent.ubuntu.com and ipv6.torrent.ubuntu.com. We can visit those domains and find a tracker index with .torrent files available for download.
Looking at the description of a .torrent file on Wikipedia gives us a general overview of the file structure, but isn't overly helpful. The article linked in the hints explains that "A user who wants to upload a file first creates a small torrent descriptor file that they distribute by conventional means (web, email, etc.). They then make the file itself available through a BitTorrent node acting as a seed." This indicates that the .torrent file would contain the file name. If we download a random torrent file from the Ubuntu tracker index, we see that this is indeed the case. However, HTTPS is used to download this file so without the TLS key, which we don't have, we cannot read this file.
After looking through the UDP streams in Wireshark using the Right click > Follow > UDP Stream we notice that there are several streams that look like the following in ASCII:
We also searched online for "torrent pcap" and found this article (Archive). The article states that we can "easily filter traffic to find any torrent hashes of the files being downloaded or shared." It also says that "a Google search on the torrent hash will often tell you what the file is," which sounds exactly like what we want since we want to know the name of the file being downloaded as a torrent.
However, Wireshark will not interpret the traffic as bittorrent traffic for some reason, so we have to manually find this torrent hash.
Searching for "BT-DHT" (which was given in a hint) finds the Mainline DHT Wikipedia article, which states "Mainline DHT is the name given to the Kademlia-based distributed hash table (DHT) used by BitTorrent clients to find peers via the BitTorrent protocol." It also says "The SHA-1 hash of a torrent, the infohash, is synonymous with a Kademlia key, which is used for finding peers (values) in the overlay network. To find peers in a swarm, a node sends a get_peers query with the infohash as key (equivalent to a Kademlia FIND_VALUE) to the closest known nodes (with respect to the key distance)." So, if we can figure out what the "info hash" is we can Google the hash (according to the previously reference article) and get the file name.
We use the Wireshark search feature to search packet bytes, narrow & wide, for the string info_hash. For example, we find the hash 17d62de1495d4404f6fb385bdfd7ead5c897ea22, which is not the file we want since it doesn't end in .iso. Luckily, at the end of the file we see the same hex characters after the info_hash: text:
From this hex-ascii dump, we see that the info hash is e2467cbf021192c241367b892230dc1e05c0580e. Searching for this hash finds this page, which states that the name is ubuntu-19.10-desktop-amd64.iso. There are also references to that name from other pages in the Google search results. So we have found the flag.
Searching for "d1:ad2" online (the start of the packets we kept seeing) reveals that is what a BitTorrent payload begins with. We also find the DHT Protocol specification, which explains how the get_peers function that we observed works (notice the get_peers in the ascii dumps).
Flag
picoCTF{ubuntu-19.10-desktop-amd64.iso}
Last updated