forensics(galactic-connection): add challenge

forensics/galactic-connection/challenge.yml

@@ -0,0 +1,30 @@
+name: "Galactic Connection"
+author: "En3rRe"
+category: forensics
+
+description: |
+  An undercover Andromeda hacker was able to sneak in a Project Echo facility and sniff
+  some packets. Can you manage to get access to their galactic network?
+
+  Note: The flag is the domain the Project Echo agents are trying to access. To submit, remove ".com" and wrap it with "CCSC{}".
+
+value: 500
+type: dynamic
+extra:
+  initial: 500
+  minimum: 100
+  decay: 25
+
+flags:
+  - CCSC{wpa2_passwords_are_not_secure}
+
+tags:
+  - forensics
+  - easy
+
+# If challenge requires public files add here
+files:
+  - "public/galactic_connection.pcapng"
+
+state: visible
+version: "0.1"

forensics/galactic-connection/solution/README.md

@@ -0,0 +1,26 @@
+The challenge provides a pcapng file which contains a capture of a WPA2 handshake
+and some aditional traffic. The additional traffic contains an HTTP request trying to
+fetch a file at `/usr/share/wordlists/john.lst`, which hints that this wordlist should
+be used to crack the WPA2 password.
+
+To do this, we first need to convert the file from pcapng to pcap, which we can do using scapy:
+```
+from scapy.all import *
+scapy_cap = rdpcap('galactic_import.pcapng')
+wrpcap("wifi_traffic.pcap",scapy_cap)
+```
+
+Now we can crack the password using John the Ripper and aircrack-ng, by providing the john wordlist
+and asking John to use its default rules:
+
+```
+john --wordlist=/usr/share/wordlists/john.lst --rules --stdout | aircrack-ng -e CCSC -w - wifi_traffic.pcap
+```
+
+This reveals the WPA2 password, which we can use to decrypt the traffic and get the flag:
+```
+airdecap-ng -b 80:69:1A:81:FE:85 -e CCSC -p ChangeMe10 wifi_traffic.pcap
+```
+
+In the decrypted traffic we see a request for `wpa2_passwords_are_not_secure.com`,
+so the flag is `CCSC{wpa2_passwords_are_not_secure}`.