5G
5G
One of the challenge groups provided by the CISS CTF was related to 5G communication.
The wraith in the network
Our intelligence operatives have a captured flow (PCAP) of mystical communications between high-value targets using the PalantÃr Network. As they were transfering the captured flow, an enemy sorcerer modified the captured flow and managed to hide a subscriber in the AAA flow.
Your Mission: Analyze the captured flow, dissect the core mystical AAA protocols, then find this hidden subscriber that never existed within our sacred communication channels and decipher him.
Submit: CISS25
This challenge provided us with a PCAP file and the task to find a hidden subscriber in the AAA protocolls.
AAA protocols, which stand for Authentication, Authorization, and Accounting, are a set of standards used to manage and control access to network resources. Common protocolls include RADIUS, TACACS+ and Diameter.
For analyis we used Wireshark. The filter for RADIUS and TACACS+ brought no results so we searched only for diameter. This reduced the amount of frames from 5027 to 66. Next we filtered out all Watchdog commands with diameter.cmd.code != 280. Left are 12 frames with Push-Profile Answer and Request as well as Abort-Session. Now we are interessted in new subscribers. We can get frames with this information through filtering of the AVP code 443 diameter.avp.code == 443 (src. RFC).
With this the filter looks like diameter && diameter.cmd.code != 280 && diameter.avp.code == 443 and we have only two packages left. 
There are now two subscription IDs.
sip:5Y5_T3VW0R@ims.mnc001.mcc001.3gppnetwork.org
sip:+650000007@ims.mnc001.mcc001.3gppnetwork.org
With frame contains "650000007" we can check that the second ID is first seen in frame 1362.
The 5Y5_T3VW0R (frame contains "5Y5_T3VW0R") is first seen in the diameter frame 2731.
With this we have our hidden subscriber.
All that is left is to decipher him.
With the ceasar cipher we can shift by -4 or +22 (a to w) to get 5U5_P3RS0N.
CISS2025{5U5_P3RS0N}