Background

As with home computers utilised for “server stuff”, I have a history when it comes to networking which goes a little bit further than that of the average Internet user.

My very first router, after moving to my own place, was an Asus RT-N66U. I think I struck gold with this purchase, because unknowingly I bought a router that put me on open source and modding early on in my life. I only ran the router as purchased for a couple of months after which I flashed it with Tomato¹. The main issue with this router was that it was too slow. The apartment I lived in had a 1 000/1 000 Mbps Internet connection, but the poor router would not push more than a couple of hundred Mbps. I don’t remember, but I doubt I got more than 250 Mbps over WiFi.

An upgrade was in order!

I already touched upon this upgrade in my previous post:

A couple of years later I built my first “home server” which mostly just acted as a router. I did however host a ZNC Bouncer and an OpenVPN Server.

More specifically, I built a Debian-based router on top of an Intel Celeron J1750 (IIRC). I don’t remember the specifications but I do remember that I powered it using a PicoPSU. Initially, I think I used the Asus router as an access point for WiFi, but I did install a network card with WiFi after a little while.

pfSense

In 2018 I had gotten tired of the Debian box.

After a lot of research I decided to build my own pfSense router. After additional research I decided that I did not want to build my own pfSense router and instead ended up buying a ready-made one. I did however not buy a Netgate router, but one based on a PC Engine APU2E4. I paired it with a Unifi AP AC Lite and that combo served me for more than five years with excellence.

I did not do much with respect to advanced network configuration, initially, but I did try both hosting VPN servers and routing all egress from my network via VPN just to see if it would work.² All in all, pfSense has worked very well for me. I know that there have been controversies concerning Netgate (and I have considered moving to both OPNSense and UniFi, more than once) but since I use pfSense professionally I have not been able to motivate myself to make the migration.

Levelling up

After adopting pfSense and UniFi I have been focusing less on the hardware/software aspects of my network and more on its configuration. In particular, this concerns separating devices that connect to my network into tiers and ensuring proper isolation of lower-tier (less secure/trusted) devices from higher tier ones. I achieve this predominantly using VLANs, mDNS and regular firewall rules.

I have also abandoned OpenVPN. I had a very quick encounter with WireGuard, but I was never really able to get it to work the way I wanted it to. Instead, I have migrated all of my VPN use cases to Tailscale. (You can read more about this migration in this post.)

Current Setup

As of January 2026, I’m still running pfSense on my router together with pretty much only UniFi networking equipment. The image below outlines its configuration (click it!).

The gist of my networking philosophy is to have one VLAN per use case. I also tend to number them such that a lower number indicates that the devices on that VLAN are more trustworthy. I must admit that this not really hold true for the setup above, because I trust 30-60 equally little :P Let’s say the rust is: 10 | 20 | <the rest>.

Each VLAN has its own /24 IPv4 range and I have split them such that the first 100 addresses are statically assigned, leaving the remaining addresses to be used for dynamic assignment via DHCP.

In addition to the above, I have two guiding lights that I try to keep in mind whenever I design a network:

(1) Difficult to shoot yourself in the foot

Above all, it should be difficult to do something that is outright bad!

There are two ways to connect to my network: (1) by plugging in a cable to a switch, and (2) by connecting to an SSID. I have RJ45 in pretty much every room in the house, but only the ones that are in active use are connected to my main switch. Additionally, only the ports on the switch that are in active use are enabled. This might sound like a pain to work with, but it forces me to be deliberate with every new device I plug in.

If it’s getting a cable, it needs a port, and the port needs to be enabled and configured accordingly.

Since I have distinct SSIDs for each WiFi network, the mental model is similar for wireless devices. Instead of connecting all devices to the same WiFi network and configure firewall rules for groups or specific devices, I can be sure that a new surveillance camera (connected to the surveillance WiFi) will absolutely not send any frames to anywhere.

(2) Observability

As mentioned earlier, each VLAN has its own IPv4 DHCP range and they are all coupled such that the third octet is the same as the VLAN ID. This makes log inspection significantly easier, because as soon as I see 10.1.30.xxx I know that I’m looking at a camera.

A remark, concerning hardware / software

A prerequisite for being able to manage a network like mine without going mad is to have a hardware and software stack that makes it easy to work with. As I wrote in the background section, I have been happily running pfSense + UniFi for more than five years and it has been working very well for me. There are a couple of things I dislike (like UniFi not allowing meshing if you have more than 4 SSIDs³) but overall I think it’s an excellent prosumer combo.

All networking equipment in my house lives on VLAN 1 and I use DHCP the same way on this VLAN as all the other ones.

If I were to start from scratch today, I would either go all in on UniFi or I would look into OPNSense. For my router that is. I still believe UniFi is the hands down best choice when it comes to switches. Having had a Zyxel managed switch (I used it together with the PC Engines router, for several years) I really, really, really, appreciate UniFi’s management tool. The Zyxel was dreadful.

Future improvements

I have mentioned it several times, but one last time: I would like to refactor my network such that I have fewer VLANs/SSIDs. Merging SURVEILLANCE and IOT_NO_INTERNET would be a good first start and it would allow me to enable UniFi Meshing. Merging IOT and GUEST is probably also feasible.

As my posts tend to be, this is another quite lengthy one. If you only care about my current setup, have a look at the Current Setup section.

Background

Back in 2011 I bought my first NAS, a Synology DS213j. (This scrawny little machine is still serving!) A couple of years later I built my first “home server” which mostly just acted as a router. I did however host a ZNC Bouncer and an OpenVPN Server. (I had Gbit Internet and the little 2 core, Intel J CPU, actually managed to provide almost 500Mbit both ways over VPN!)

One server to rule them all

The fall of 2014 I built my first real server. The purpose was to supersede the Synology NAS and build something reasonably “production grade”. (Albeit, as a second year university student, I was not familiar with the concept of production grade.) I did a lot of reading and listened to a lot of podcasts on the subject. At the time, I was a huge fan of the various Jupiter Broadcasting shows. In particular, I found the BSD Now podcast (then hosted by: Allan Jude) very fascinating. Persuaded by the BSD folks, I decided to go with FreeNAS (which would be renamed to TrueNAS Core in 2021) as my server OS.

I went all in on FreeNAS and BSD and hosted a handful of applications in jails. At some point I was unable to build some application for FreeBSD and struggled a lot with running Linux VM:s under FreeNAS to get Docker support. It worked, but it was not particularly pleasant. In 2016 the woman who would become my wife moved to Sweden, and in with me, meaning I now had an additional issue: Another user, who had uptime and availability expectations on the few services she enjoyed using (mostly Plex)… Safe to say, I was becoming more and more frustrated with FreeNAS as an “application hosting OS”.

A change of philosophy

About the same time as FreeNAS morphed into TrueNAS Core, I was really getting sick and tired of the poor Docker support in FreeNAS. I was also pushing my little server to its limit compute-wise. So I pulled the peripherals out of my gaming computer (running Ubuntu) and put it in the bookshelf next to the server. Since I had done a pretty good job creating unique datasets for my various applications, exposing them as NFS shares and mounting them on the gaming computer was not unbearably difficult.

Back then, I did this out of frustration and necessity. Today, I encourage everyone who wants to self-host to separate storage and compute. Doing so allows you to separate your concerns in a very nice way. You can use more purpose built tools to solve your respective problems and you can dimension your hardware more appropriately.

For instance, back in 2014 I ran FreeNAS on a USB drive (as was customary) but apart from doing two RMA:s on the PSU (Silverstone sure had some issues with their early SFX units) and migrating to a boot SSD a couple of years later, I am still using the same hardware today. When I hosted jails and VM:s under FreeNAS, my CPU and RAM utilisation would frequently be at capacity. Now, more than 10 years later, only serving NFS shares, my storage server is barely breaking a sweat.

Maybe the most important thing is that you can – if things really go south – unplug and nuke your compute machine without worrying about losing data!

Current setup

With the background out of the way, you probably (hopefully) understand why I have my homelab setup the way I do. Let’s have a look at what’s actually running in there.

Storage server

As mentioned earlier, my storage server has remained virtually unchanged for over 10 years. (I’m still running TrueNAS Core though. I should really take the time to upgrade to Scale.) I am extremely pleased with the Supermicro motherboard. IPMI is excellent and the four core C3558 CPU is perfect for my workload. I also really like the Silverstone case.

Parts:

• Case: Silverstone DS380
• Motherboard w/ integrated CPU: Supermicro A2SDi-4C-HLN4F
• RAM: 2x 8GB Samsung DDR4 ECC REG @2400MHz
• Boot: 120GB SSD
• PSU: Silverstone SST-ST45SF-G 450W

Initially, for storage, I used 4x 3TB but back in 2020 I upgraded to 4x 8TB. I run four disks in Raid-Z2, which might be a little bit unconventional, but with ZFS vdev expansion being a reasonably new thing, I’m looking forward to adding two more 8TB disks to my server in the near future.

A note on data integrity

I frequently talk to people who ask for advice building their first server or NAS. One common question is that of ECC memory: Is it worth it?

If you’re building a computer box for storing data that is important to you, I believe you should do whatever you can to protect that data.

• Setup your storage solution with parity to handle disk failures. They WILL happen!¹
• Use a file system that mitigates data corruption (such as ZFS).
• Use ECC memory to protect yourself from corruption when data is written from RAM to disk.
• Backup your data to a second physical location!

Compute server

The Ubuntu gaming computer has been the work horse of my homelab for several years. After re-purposing it from gaming to running Docker services, I sometimes contemplate replacing it with something more “server grade”, but since all data I care about lives on the TrueNAS machine I’m not too concerned.

Parts:

• Case: Fractal Design Era
• Motherboard: Gigabyte B450
• CPU: AMD Ryzen 5 3600 @3.6GHz
• GPU: Asus Radeon RX5500 XT 8GB
• RAM: 2x 16GB Corsair DDR4 @2666MHz
• PSU: EVGA SuperNOVA GM 450W

How I run my services

I run all of my services as Docker containers, managed using Docker Compose.² On the TrueNAS machine, I have one ZFS Pool which is divided into several datasets. (I don’t quite have a 1:1 mapping between dataset and service, but some day I might take the time to fix that.) The various datasets are then exposed as NFS Shares and mounted on the Ubuntu machine.

Some shares are mounted directly by Docker, such as my Nextcloud instance:

volumes:
  files:
    driver_opts:
      type: "nfs"
      o: "addr=truenas.home.arpa,rw"
      device: ":/mnt/volume1/nextcloud"

whereas some less critical services use a common bind mount:

services:
  frigate:
    volumes:
      - /mnt/container_volumes/frigate-runtime/:/media/frigate

Networking?

I have a quite elaborate network setup too. If you’re interested in another post , shoot me an email!

Some look at it in awe and believe it will solve most (if not all) of their application’s problems.

If the app does not scale under load: Use Kubernetes.
If the app cannot handle zero-down-time upgrades: Use Kubernetes.
If the team working on the app is too slow: Use Kubernetes!!

Others look at Kubernetes with a mix of disgust and fear.

Kubernetes is a huge beast of complexity.
Kubernetes requires an entire new operational skill set that most teams do not have.
Kubernetes is not even necessary!

What both sides tend to miss is not what Kubernetes is, but what it is for.

Kubernetes does not magically make applications scalable, resilient, or fast to change. Instead, it provides a powerful execution environment for applications that are already designed, built, and operated with those qualities in mind. This is why organisations migrating to Kubernetes should spend far less time debating YAML manifests and far more time asking how well their applications and teams adhere to the fundamentals of DevOps.

DevOps fundamentals

As I have said before:

DevOps is everything you need, technically and organisationally, to successfully manage the entire life cycle of your product.

By better understanding: Flow, Feedback and Continual Learning; the three fundamental principles that underpin the entire DevOps movement, we become better informed about all aspects of the Software Development Life Cycle (SDLC). As we grasp the importance of feedback we can understand why and how we gather and act upon information from our users. When we prioritise flow, we start to find – and remove – bottlenecks in our processes. Lastly, when we have a way of working where we feel comfortable making frequent changes to our products, we can start to experiment and continuously learn new things which will help us win the marketplace.

The best part? Your organisation can build on top of the three DevOps principles without even looking at Kubernetes. Here are just a few examples, organisational and technical:

1. Ensure there is a clear mapping between each development team and their output, meaning each team takes responsibility for the entire SDLC of the component, service, or application they develop.
2. Make your releases smaller and do them more frequently.
3. Visualise your work and ensure operational improvement is prioritised.
4. Automate. Automate. Automate! Declarative delivery and GitOps-style workflows do not require Kubernetes.
5. Build your application with observability and fault tolerance in mind.

Adhering to the above will yield a better product and as a bonus you are well positioned to migrate to Kubernetes, should the need arise.

What is Kubernetes, really?

Kubernetes is a container orchestrator. No more. No less. I don’t mean to sell Kubernetes short – it’s an amazing feat of engineering – but you must not be led astray.

Kubernetes helps you deploy an arbitrary number of containerised applications across an arbitrary number of nodes, according to arbitrary rules concerning resource utilisation. Kubernetes follows your arbitrary rules to scale up/down the number of application instances. Kubernetes even helps you roll out upgrades of your applications in different ways that ensures there is always at least one instance available. If you tell Kubernetes exactly how to handle your deployment, it will do so – completely automatically!

Arbitrary.

Kubernetes is an extremely competent rule engine, but you have to write the rules! You are responsible for taking everything arbitrary about your application and make it explicit. By better understanding how Kubernetes works, we can learn how to write these rules, but Kubernetes does not:

1. Tell you how the architecture for your application should look in order to handle zero-downtime upgrades, properly utilise scaling, or be more fault tolerant;
2. Help you implement the architecture;
3. Create or enforce any of the five examples I listed under DevOps fundamentals.

If you have five teams building a monolithic .NET application which is then handed over to a separate build team to be containerised and deployed in Kubernetes, you have gained absolutely nothing. On the contrary, you have added an enormous amount of complexity (i.e. Kubernetes) without attaining any benefits from the system.

If you have ever thought: “We need to use Kubernetes to solve <any of the issues above>”, you will be disappointed. The answer is not in Kubernetes itself.

Kubernetes as a mirror for your DevOps debt

Kubernetes does not introduce most of the problems organisations struggle with, but if you want to use Kubernetes properly you will inevitably be exposed to them.

Poor (or non-existing) Configuration as Code gets turned into poorly defined Kubernetes resources (the arbitrary rules are not specified properly for your application). Fragile deployment practices surface when rollouts require manual intervention and deployments reboot endlessly when applications are not built to handle statelessness. Not to mention troubleshooting when you rely on logs from a pod that continuously keeps rebooting.

These are all consequences of having a large DevOps debt.

Just like technical debt, DevOps debt is accumulated slowly. Manual processes that “work for now”. Releases that are large and far between, because doing them feels risky. Being OK with a way of working that relies on heroics. None of this breaks immediately. In fact, many of these patterns are actively rewarded in the short term.

If you start using Kubernetes, you will be made painfully aware of your DevOps debt.

So, should you use Kubernetes?

Maybe.

I really want to stress the importance of the DevOps fundamentals. You will not have a good time in Kubernetes if you fail to follow these principles. I don’t believe you will have a good time outside of Kubernetes either, but you will at least not be fighting your entire runtime environment.

If you are starting from scratch

If you have Kubernetes competence in your organisation and you foresee that you will benefit from the capabilities provided by Kubernetes, go for it! Greenfield development is lovely and you have the opportunity to build something properly cloud native. Just make sure you strike a good balance between: “Building the perfect Kubernetes application.” and “Building an application that your users want to use.”. It’s all too easy to get stuck in the weeds.

If you do not have Kubernetes competence or don’t intend to build an application that need its features, don’t bother. I would however recommend that you containerise your application. Doing so helps you think about interfaces, dependencies, building and deploying your applications early in your SDLC.

If you are migrating

Start with refactoring! If your application is currently composed of tightly coupled services, without clear interfaces, and code being inherited all over the place; start by fixing this. Create an application that can be containerised by its different components, then do the actual containerisation, then evaluate whether you can fix your issues without Kubernetes.

If you cannot – and only if you cannot – start migrating your newly containerised services to Kubernetes.

Kubernetes is not a shortcut to DevOps maturity. It is a very efficient way of discovering how much you are missing.

Product Owner: Hey, how long do you believe Feature F will take?

Developer: Idk. We haven’t even started working on it and it’s bound to stir up some old issues.

Estimates come in various disguises, but when you peek under the trench coat there is always the question:

"How long -- and using what amount of resources -- will be required to do X?"

When I wear the developer hat, it can be infuriating to attempt to give an answer. It’s difficult to estimate (or the product owner could do it themselves) and a lot of the time it can be difficult to see why the estimate is even important.

When I wear the product owner hat, estimates are a crucial piece of the puzzle that must be laid in an attempt to plan the short and long term life cycle of a product.

In this post I want to attempt to explore and elaborate on both sides, in an attempt to make developers understand why estimates are important to product owners and in order to help product owners see why developers so often despise having to estimate their work.

Why the PO wants you to estimate

As a Product Owner (PO), I am responsible for learning the market and customers’ needs and translating these into feature requests which developers can turn into actual features in our products. The means varies, but most organisations have some sort of backlog in which things to be acted upon are placed while they await being picked up by some developer or development team. We call these things user stories, issues, tickets, tasks, and probably many other things… The important thing for this discussion is that the items in the backlog are candidates for being implemented in our product and it’s the PO’s job to prioritise the backlog.

Why does the backlog need to be prioritised?

Because the inflow of items to the backlog is (pretty much always) higher than the speed at which the developers can implement them. Ergo, if the PO does not constantly learn the market and customers’ needs and prioritise the backlog accordingly, the developers might implement features that the users of the product are not interested in. Worst case? Existing users stop using the product and no new users buy it which will ultimately lead to bankruptcy.

But what about the estimates?

The above makes sense – I hope – but it doesn’t really pinpoint the need for estimates. Unfortunately, the job of a PO is not as easy as always prioritising in accordance to whatever the market wants. More often than not, the PO must also consider pre-communicated release dates and manage expectations.

I hate when release dates are communicated in advance. The only thing worse than release dates that are set in stone months ahead of time (I’m looking at you, Mr 12-week-increments-SAFe) are releases with pre-communicated content. Unfortunately, both are common. Often combined.

Imagine a backlog in which resides a really big feature. Something that is sought after, but will take a lot of time and resources to implement. The same backlog has a handful of smaller features which are not as requested as the big one. The PO would really like to include the big feature in the next release, but the next release date is not so far away. If the PO prioritises the big feature but it’s not done in time for the already communicated release date, the release will be severely lacking and considered a failure. In that case, the PO would rather include a couple of the smaller features. A safer bet, but the payoff is smaller.

THIS is why estimates matter so much to product owners. They must constantly run the above equation when they prioritise the teams’ backlogs. A constant risk/reward balancing act. They undoubtedly need help from the experts (the developers) to better understand the ramifications of the features they are proposing. If POs do not understand how big different work packages are, they cannot do their jobs in an effective way.

It gets worse

Instead of one PO there are now a couple of them. They are responsible for different parts of a larger product which requires the POs to coordinate both the date and the content of their releases. There is probably a main backlog describing upcoming features in the final product, as well as team backlogs where each team are assigned puzzle pieces which must be implemented and integrated in a coordinated fashion.

This is painful in multiple ways, but the most obvious issue is that – in order to have a functioning release – the POs must agree on the prioritisation of the main backlog and this will in turn affect the prioritisation of the team backlogs. The POs must each acquire information about how long it will take (and how costly it will be) to implement and to integrate the puzzle piece(s) they are responsible for into a cohesive feature. The tool for acquiring this idea?

Estimates.

Technical debt

Programming is a craft. An art. My art, to some extent. I’m in my happy place when I get to succumb to a tricky task and surface a couple of days later with a solution to a problem that initially seemed impossible. As a developer, I want to build the best possible product. I dislike shortcuts. Half-arsed solutions. Fixes. Not because a single shortcut or fix will destroy a product, but because the technical debt they incur will accumulate over time and eventually erode the product from the inside out; making it ever more difficult to work with it and ultimately cause it to break.

Technical debt is – I believe – the main reason for conflict between a PO and a development team. A not so technically inclined PO will fail to see how detrimental technical debt is to the product and how painful it is for the developers to work in a code base with a high amount of debt.

Put in other words: If I’m tasked with implementing a new feature and I come across something in the code that is obviously smelly, error prone, or just not very good, I want to leave the code in better shape than I found it. Not taking time to “payoff” such debt once might not be the end of the world, but the hard coded quick-fix that you know ought to be generalised will likely bite you down the road. And if you have ignored updating dependencies for a couple of months and find yourself in a situation where you need to upgrade Package 1, but it depends on a newer version of Packages 2 & 3, which in turn requires a framework upgrade… Let’s just say the feature you’re working on will take a while longer.

Why developers HATE estimates

When a PO asks: “How long will it take to implement Feature F?”, they aren’t just asking the developers to estimate the amount of time they think it will take to write the code for the feature. A good PO understands that implementing a new feature is an iterative process and that integration hell is a thing. An even better PO understands that they are also asking the team to estimate how many unforeseen issues they will encounter while implementing the feature.

This detail: The unforeseen issues, which the PO asks the developers to foresee, is key. It is – per definition – not possible to foresee something unforeseeable.

Many developers I’ve met dislike uncertainty. One of the things they appreciate most about coding is the deterministic aspect of it. You run the same program again and again and it returns the same results.¹ The journey on which we travel while writing the code is, however, not particularly deterministic.

It is true, that the more you code and the more familiar you get with a codebase, the more accurate your estimates will be. However, just the other day I was working on an issue which I had estimated would take approximately two days. All of a sudden, I realised that the simple change required updating a shared component that had been tightly coupled years ago. When I touched that code, dozens of failing tests appeared, each revealing another hidden dependency. Fixing those uncovered yet another module depending on outdated patterns. Halfway through, we decided we had to refactor the entire flow just to make the original change safe. My “two-day task” turned into two weeks of archaeological software excavation.

Could we have solved this quicker by not caring so much about the amount of technical debt we left in our wake? Probably.

Would we have encountered a two month excavation in the future? Probably.

It gets worse

According to Merriam-Webster: estimate is defined as:

To judge tentatively or approximately the value, worth, or significance of.

The very definition of estimates tells us that they are either tentative or approximate. As a developer, I choose to interpret the or as meaning that it could even be both.

When I started my career as a software developer, I really did not have an issue with estimates. We would refine our backlog and I would gladly give an estimate on various items. (1) Because I was fresh out of university and wanted to prove myself by doing a good job and not being too difficult, but more importantly: (2) because I had not understood that my estimates would soon be used against me.

I soon learned that my team’s estimates were not interpreted and used as estimates. They were used as deadlines. If we broke down a feature into its reasonable components (an error prone science, which introduces uncertainties, on its own) and estimated the parts accordingly, the PO would often take the sum of the parts and communicate it to their colleagues as: “This is the time we will be done.”

Two things came out of this:

1. My team (consisting mostly of newly graduated developers) became much more reluctant to estimate.
2. When we estimated we always padded our actual beliefs, significantly, to give ourselves a buffer.

The estimates stopped being estimates. They became safety railings against being held accountable for unreasonable expectations.

The clash

Do you see the problem?

Do you see a solution?

I believe the overarching problem with estimates stems from expectations. Somewhere, someone, communicates something to the users/customers of the product, which sets expectations the rest of the organisation are then forced to live up to. In a small company, it might very well be the PO who does that communication but in a larger organisation the PO is likely as helpless as the developers w.r.t. having a say about the product’s roadmap.

The “solution” is simple: Stop communicating new features in advance. Stop setting more or less arbitrary deadlines². Let the PO tell the developers what features they want, in what order, and let the developers do what they do best: Code!

But these deadlines are there for a reason. If your company builds a product which assists people doing their yearly tax returns, a missed delivery window will result in the entire revenue opportunity for that year being missed. Resources (most often in terms of salaries to employees) will have been poured into a project and if there’s no payoff in terms of additional sales, it could lead to a need for finding other ways to reclaim those resources; often in terms of reduced costs, which universally means: lay-offs.

Therefore, it’s in everyone’s best interest to play along. We play the estimates game even though it’s a bad way (but also the best we know of) to help each other do our respective jobs.

What about DevOps?

You didn’t think I’d miss an opportunity to talk about DevOps, did you?

Flow is a key concept within DevOps which describes an organisation’s ability to reduce bottlenecks and increase the pace at which they are able to deliver new versions of their product(s). High flow is synonymous with frequent deliveries and updates of our product(s).

The concepts from DevOps do not directly address the issue with estimates, but there are tools which can be used to reduce the risk associated with delivering software. Flow can inform how we tackle technical debt and how we make sure we don’t fall behind on our dependencies. Flow can also help us identify issues in our product’s life cycle as well as help us understand how to get rid of the issues.

Flow is one of The Three Ways in DevOps and if you want to learn more, feel free to reach out. I give presentations on various topics related to DevOps and I can come to your company and give a course about DevOps tailored to your company’s needs.

Conclusion

Estimates – as defined in the English language – isn’t really the problem here. The problem is when estimates are treated as predictions, deadlines, and used to put pressure on developers who are just trying to do their jobs. Estimates – the way they are used in our industry today – hurts people and reduces the psychological safety in our organisations. I believe we would be better off if we could work in a way that allows developers to be transparent and continuously communicate updated estimates as development progresses.

Then again, product owners are people too! As developers we must understand that POs are under pressure too. We must help them and the best way to help them is to continuously provide them with updates about how development is progressing and whether we have encountered anything that we believe will significantly alter the original estimate we gave.

The goal

Quoted from the CERT-SE site:

In the .zip file below is a network dump (PCAP) that contains a total of ten flags. All of these have the format ctf[string] or CTF[STRING].

Low hanging fruits

The lowest hanging fruit possible would be any plain text flags in the actual .pcap, so:

$> strings cert-se_ctf2025.pcap | rg -i 'ctf\['

ctf[strings_or_cat?]

We have flag: ctf[strings_or_cat?]

The file is corrupt?!

The very first thing I noticed when I opened the .pcap in Wireshark was an error message:

The capture file appears to be damaged or corrupt. (pcap: File has 16795209-byte packet, bigger than maximum of 262144)

I double checked that I had not done anything stupid when I downloaded the ZIP archive. Also, I found it very unlikely that CERT-SE would provide a broken .pcap by mistake. There must be a flag here.

Each packet in a .pcap starts with a 16-byte header (timestamp, captured length, original length). By walking through those headers and stopping when the captured length (incl_len) was larger than the mentioned maximum, I could pinpoint where parsing fails.

import sys, struct

with open(sys.argv[1], "rb") as f:
    gh = f.read(24)
    if len(gh) != 24:
        sys.exit("not a pcap (too short)")
    m = gh[:4]
    if   m == b"\xd4\xc3\xb2\xa1": end = "<"   # LE, usec
    elif m == b"\xa1\xb2\xc3\xd4": end = ">"   # BE, usec
    elif m == b"\x4d\x3c\xb2\xa1": end = "<"   # LE, nsec
    elif m == b"\xa1\xb2\x3c\x4d": end = ">"   # BE, nsec
    else: sys.exit("unknown magic")

    pkt = 0
    while True:
        off = f.tell()
        hdr = f.read(16)

        if len(hdr) < 16:
            print("EOF at packet", pkt)
            break

        ts_sec, ts_usec, incl, orig = struct.unpack(end + "IIII", hdr)

        if incl > 262144:
            print("Broken:", pkt)
            print("offset:", off, "incl_len:", incl, "orig_len:", orig)
            break

        f.seek(incl, 1)
        pkt += 1

Out the other end came:

$> python script.py cert-se_ctf2025.pcap

Broken: 3011
offset: 29102359 incl_len: 16795209 orig_len: 1207959809

So at byte 29 102 359 (package 3011) something starts that is not a regular 16 byte .pcap payload.

 $> dd if=cert-se_ctf2025.pcap bs=1 skip=29102359 count=16 2>/dev/null | xxd

00000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0048  ......JFIF.....H

That is likely an image!!

I hoped for the best and went for it:

dd if=cert-se_ctf2025.pcap of=image.jpg bs=1 skip=29102359 status=none

and out the other came:

We have flag: ctf[carve_carve]

Following TCP Streams

My goto from last year (that I figured I’d try again this year) was to simply go through the various TCP streams in the .pcap.

TCP Stream 6

TCP Stream 6 contains some HTTP data. More precisely, an index.html file.

<!DOCTYPE html> 
<html lang=sv>
<head>
  <meta charset="utf-8"> 
  <meta name="viewport" content="width=device-width,initial-scale=1"> 
  <title>The sky above the port was the color of television, tuned to a dead channel.</title>
  <style>

  body {
      background-color: black;
      margin: 3em;
  }
  span {
      height: 1em;
      width: 1em;
      background-color: darkgreen;
      margin: 1px;
      padding: 0;
      display: inline-block;
      text-align: center;
  }

span:nth-of-type(10), span:n-th-of-type(1002), [... a lot of this]

{
    background-color: lightgreen;
}

</style>
</head>
<body>
  <span></span> <span></span> [a lot of this too]

A QR Code?

I don’t read fluent HTML so I just opened the file in my browser instead. The page showed boxes – many boxes – coloured light green and dark green respectively. My immediate idea was to zoom in/out until the boxes re-ordered themselves into a flag. Well, no luck.

Let’s dig deeper

The page also has a title:

The sky above the port was the color of television, tuned to a dead channel.

Which seems to be a quote from Neuromancer, by William Gibson.

Being born in the 90’s, a TV tuned to a dead channel would show “the war of the ants” (black and white, static). Hence, I believe I am actually on to something w.r.t. my QR Code above. At least, I believe, I should be working with the boxes as pixels/binary data.

All the ways to look at pixels

I wrote a Python script to generate as many permutations as I could think about.

• Different widths
• Inversions
• Rotations
• Use odd / even columns / rows in different ways

Nothing yielded an image with a clear CTF[ in it :(

• Think of the data as binary
• Maybe binary + compression?
• zlib
• gzip
• lz4

No bueno.

What about Morse code?

Nope.

Back to the index.html itself

What about looking at only the light green boxes? Is there something with their indices? There seems to be 1 471 light green boxes and 2 625 dark green boxes. 1 471 is prime – is that a hint?!

At this point I moved on.

TCP Stream 7

TCP Stream 7 seems to be the same session (is that the correct nomenclature?) as we saw in Stream 6, but instead of doing a GET of /index.html it’s a GET of /favicon.ico.

GET /favicon.ico HTTP/1.1
Host: 192.168.122.1:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.122.1:8000/index.html
Priority: u=6

HTTP/1.0 404 File not found
Server: SimpleHTTP/0.6 Python/3.12.3
Date: Thu, 25 Sep 2025 14:05:02 GMT
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 335

<!DOCTYPE HTML>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Error response</title>
    </head>
    <body>
        <h1>Error response</h1>
        <p>Error code: 404</p>
        <p>Message: File not found.</p>
        <p>Error code explanation: 404 - Nothing matches the given URI.</p>
    </body>
</html>

I don’t really know what to look for here.

TCP 8

TCP Stream 8 contains an email sent from CTF Tech Support to dear user Nessie, who needs help with her tabs! If we take a look at the data we can find Nessie’s plea for help:

From: hdesk@ctftechsupport.se
To: nessie@loch.com
Subject: RE: I LOST MY TABS??? [Ticket#478291]

--===============0296359107785540648==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Dear Nessie! I have recovered your beloved tabs and you should be able to resume your work,
whatever you are doing. See attachment and follow the guide I gave to you by the dock earlier today.
--===============0296359107785540648==
Content-Type: application/octet-stream
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sessionstore.jsonlz4"
Content-Type: application/octet-stream

bW96THo0MADWUgAA8AF7InZlcnNpb24iOlsic2VzCwDyDXJlc3RvcmUiLDFdLCJ3aW5kb3dzIjpb
eyJ0YWIJAGJlbnRyaWUMAPR9dXJsIjoiYWJvdXQ6aG9tZSIsInRpdGxlIjoiTmV3IFRhYiIsImNh
...

The issue at hand seems simple enough: Decode the base64 encoded text and decompress with LZ4. Out the other ends come browser tab data:

{
  "version": [
    "sessionrestore",
    1
  ],
  "windows": [
    {
      "tabs": [
        {
          "entries": [
            {
              "url": "https://cert.se/#16n4[2t",
              "title": "CERT-SE - Sveriges nationella CSIRT",
              "cacheKey": 0,
              "ID": 15,
              "docshellUUID": "{abcd136f-fad2-46b9-a387-683841f7043b}",
              "referrerInfo": "BBoSnxDOS9qmDeAnom1e0AAAAAAAAAAAwAAAAAAAAEYAAAAAAAAAAAABAQAAAAABAA==",
              "originalURI": "http://cert.se/#16n4[2t",
              "resultPrincipalURI": "https://cert.se/#16n4[2t",
              "loadReplace": true,
              "loadReplace2": true,
              "contentType": "text/html",
              "principalToInherit_base64": "{\"0\":{\"0\":\"moz-nullprincipal:{228b1ff6-8da2-4570-baf6-aaee44c51321}?http://cert.se\"}}",
              "hasUserInteraction": false,
              "triggeringPrincipal_base64": "{\"3\":{}}",
              "docIdentifier": 17,
              "transient": false
            }
          ],
          "lastAccessed": 1758129005308,
          "hidden": false,
          "searchMode": null,
          "userContextId": 0,
          "attributes": {},
          "index": 2,
          "requestedIndex": 0,
          "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAo0lEQVQ4je2TsQ3CMBBF3zFBPAEL4UyQxlvRUSHRh54lWIAmbU6hI1JMgWPZSoTijoJf2b73nyxZFu89AHo1n8XGVIdeAHYlpbX8Bb8meBX0IpsK7gWCyKaCS4EgsqngCHQbyl1gc4Gx+gQaYPxSHoEmsIsbYKzeAAdMK+UJcIGJWTyjsXoGamBIjgegDrMsMn9nEckGfVvtgVPYOmP1kc7n3hthhC5vh/jF6AAAAABJRU5ErkJggg=="
        },
        {
          "entries": [
            {
              "url": "about:newtab",
              "title": "New Tab",
              "cacheKey": 0,
              "ID": 16,
              "docshellUUID": "{260eaf8d-7661-45e2-b43d-b8e932daa87b}",
              "resultPrincipalURI": null,
              "hasUserInteraction": true,
              "triggeringPrincipal_base64": "{\"3\":{}}",
              "docIdentifier": 18,
              "transient": false
            },
            {
              "url": "https://cert.se/#13t1c3f",
              "title": "CERT-SE - Sveriges nationella CSIRT",
              "cacheKey": 0,
              "ID": 20,
              "docshellUUID": "{260eaf8d-7661-45e2-b43d-b8e932daa87b}",
              "referrerInfo": "BBoSnxDOS9qmDeAnom1e0AAAAAAAAAAAwAAAAAAAAEYAAAAAAAAAAAABAQAAAAABAA==",
              "originalURI": "http://cert.se/#13t1c3f",
              "resultPrincipalURI": "https://cert.se/#13t1c3f",
              "loadReplace": true,
              "loadReplace2": true,
              "contentType": "text/html",
              "principalToInherit_base64": "{\"0\":{\"0\":\"moz-nullprincipal:{c03e15bd-fdef-4036-8224-de4d2c6cdcff}?http://cert.se\"}}",
              "hasUserInteraction": false,
              "triggeringPrincipal_base64": "{\"3\":{}}",
              "docIdentifier": 24,
              "transient": false
            }
          ],
          "lastAccessed": 1758129009974,
          "hidden": false,
          "searchMode": null,
          "userContextId": 0,
          "attributes": {},
          "index": 2,
          "requestedIndex": 0,
          "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAo0lEQVQ4je2TsQ3CMBBF3zFBPAEL4UyQxlvRUSHRh54lWIAmbU6hI1JMgWPZSoTijoJf2b73nyxZFu89AHo1n8XGVIdeAHYlpbX8Bb8meBX0IpsK7gWCyKaCS4EgsqngCHQbyl1gc4Gx+gQaYPxSHoEmsIsbYKzeAAdMK+UJcIGJWTyjsXoGamBIjgegDrMsMn9nEckGfVvtgVPYOmP1kc7n3hthhC5vh/jF6AAAAABJRU5ErkJggg=="
        },
 <REDACTED DATA - there were a lot more of the same>
}

In this JSON blob there are several tabs for various cert.se domains, each with its unique little snippet appended to the URL. In the truncated output above the URL https://cert.se/#16n4[2t can be found. Let’s start by extracting all those snippets.

$> rg -o 'https://cert\.se[^" ]*' out.decoded | uniq | cut -d'#' -f2
16n4[2t
13t1c3f
17]12c5r
6e8u11e
15o7s9r
10r14i

Inspecting the snippets they seem to be indices. They go from 1 to 17 and each number is always succeeded by a character.

16: n
4: [
2: t
13: t
1: c
3: f
17: ]
12: c
5: r
6: e
8: u
11: e
15: o
7: s
9: r
10: r
14: i

Order the characters according to their index, aaaaand:

We have flag: ctf[resurrection]

TCP Stream 9

TCP Stream 9 is a connection between the same two hosts as we saw in TCP Stream 6 and 7. This time, we’re doing a GET towards /CERT-SE.jpg and we can just fetch the image straight from the body of the response.

This is an English version of the same image we got from the corrupted part of the .pcap. Surely the ctf[ bunch of pixels ] must be a clue that there’s a flag to be found here?

The slightly tinted, yellow(?) box, with all the coloured pixels contains three rows with [3×20, 3×20, 3×2] pixels respectively.

Throw everything at it

I tried a couple of different things on the file itself, because I did not want to tackle the colour code thingymajing:

$> strings CERT-SE.jpg | rg -i ctf

no output

$> xxd CERT-SE.jpg | rg -i ctf -A 5 -B 5

0003f480: c398 0088 11f0 88db a7cc 7b9f 7e32 7f9c  ..........{.~2..
0003f490: 74ab 93ab 8333 b349 b0fa fe57 7eed c40b  t....3.I...W~...
0003f4a0: 87e4 6c2a cf71 a592 b2ef afb4 0281 3113  ..l*.q........1.
0003f4b0: db78 8dbc cb78 8bc5 6629 de5f 6366 2a5a  .x...x..f)._cf*Z
0003f4c0: 7d37 1a66 638d 5e51 5cd6 e15b 623b 3708  }7.fc.^Q\..[b;7.
0003f4d0: 9c43 5446 a3dd 6651 3f31 ee7d f8c9 fe71  .CTF..fQ?1.}...q   <-- It says CTF here, but I don't think that's important
0003f4e0: d3e6 3dcf bf19 3fce 3a7c c7b9 f7e3 27f9  ..=...?.:|....'.
0003f4f0: c74f 98f7 3efc 64ff 0038 e88b 2382 6b4a  .O..>.d..8..#.kJ
0003f500: bb41 a2bb 392c 858a e64b 2e21 1721 8f95  .A..9,...K.!.!..
0003f510: b95b c77d 4d12 5b23 bac1 2099 8981 1881  .[.}M.[#.. .....
0003f520: 1188 8888 8da2 2239 4444 4784 4799 6693  ......"9DDG.G.f.

$> binwalk CERT-SE.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

The slightly less lazy approach

Then I surrendered and started to look at the colourful grid. Unfortunately, the encoded/coloured area does not include ctf[], meaning we cannot leverage a known crib for decoding…

My initial idea was that each column corresponds to a character. That is, red pink blue would be the first character, then green yellow light-blue, etc. I created a colour map accordingly:

Using this table for decoding the pixels yields the following:

1 2 3 4 4 5 3 2 1 2 4 5 4 5 4 5 2 3 1 2
6 3 4 6 6 1 4 5 3 4 6 1 3 6 6 3 1 4 3 4
4 5 2 1 2 3 6 1 6 5 2 3 1 2 1 2 5 6 6 5

5 6 6 1 1 2 1 2 1 2 2 3 3 4 6 1 3 2 1 2
1 4 2 3 3 6 3 4 6 3 4 1 2 5 2 3 4 5 3 4
2 3 4 5 4 5 6 5 4 5 5 6 6 1 4 5 6 1 6 5

4 5
6 3
1 2

An initial idea is that the triplet 2 4 5 is the space character (because it’s frequent and reasonably spaced). Meaning that the above can be rewritten as:

1 2 3 4 4 5 3 2 1  4 5 4 5 4 5 2 3 1  5 6 6 1 1 2 1  1 2  3 3 4 6 1 3 2 1  4 5
6 3 4 6 6 1 4 5 3  6 1 3 6 6 3 1 4 3  1 4 2 3 3 6 3  6 3  1 2 5 2 3 4 5 3  6 3
4 5 2 1 2 3 6 1 6  2 3 1 2 1 2 5 6 6  2 3 4 5 4 5 6  4 5  6 6 1 4 5 6 1 6  1 2

Which in turn would result in a six word flag, each word with these numbers of characters respectively: 9 chars + 9 chars + 7 chars + 2 chars + 8 chars + 2 chars. At this point though, I’m not quite sure how to proceed. Frequency analysis? The number of characters in four of the words are high, so maybe that’s advantageous?

TCP 10

In TCP 10 Stream 10 we find Nessie again – poor soul.

From: m.a.wetherell@duke.com
To: nessie@loch.com
Subject: Lost your SD card?

--===============7889887308178902226==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Dear Nessie! When I was filming a movie I found a SD card near the Loch Ness.
There was some inscription with your email so I am sending you the data extracted
from the SD card. I hope everything is intact. Regards, Marmaduke

--===============7889887308178902226==
Content-Type: application/octet-stream
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="PHOTOS.img"
Content-Type: application/octet-stream

6zyQbWtmcy5mYXQAAgQEAAIAAgCg+CgAIABAAAAIAAAAAAAAgAEp0Wb5qlBIT1RPUyAgICAgRkFU
MTYgICAOH75bfKwiwHQLVrQOuwcAzRBe6/Ay5M0WzRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg

Seems to be base64 encoded data from an SD card.

$> base64 -d out.b64 > out.img

$> file out.img
out.img: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat",
  sectors/cluster 4, reserved sectors 4, root entries 512, sectors 40960 (volumes <=32 MB),
  Media descriptor 0xf8, sectors/FAT 40, sectors/track 32, heads 64, hidden sectors 2048,
  reserved 0x1, serial number 0xaaf966d1, label: "PHOTOS     ", FAT (16 bit)

$> binwalk -e out.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
61440         0xF000          PNG image, 819 x 1227, 8-bit/color RGBA, non-interlaced
61481         0xF029          Zlib compressed data, default compression

Out the other end comes a directory and two files:

_out.img.extracted/
.rw-rw-r--    0 erik  5 Oct 13:00 F029
.rw-rw-r-- 1.2M erik  5 Oct 13:00 F029.zlib

Maybe I’m just miss understanding binwalk, but I would have expected a PNG image too… so I tried another approach:

$> binwalk --dd='png image:png' out.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
61440         0xF000          PNG image, 819 x 1227, 8-bit/color RGBA, non-interlaced
61481         0xF029          Zlib compressed data, default compression

This time I got the result I think(?) I expected.

$> ll _out.img-0.extracted/
.rw-rw-r-- 1.2M erik  5 Oct 13:07 F000.png
.rw-rw-r--    0 erik  5 Oct 13:07 F029
.rw-rw-r-- 1.2M erik  5 Oct 13:07 F029.zlib

Opening the image we see a cute Loch Ness monster(?), but the image seems a little bit broken.

binwalk worked before, so let’s try again:

$> binwalk -e _out.img-0.extracted/F000.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 819 x 1227, 8-bit/color RGBA, non-interlaced
41            0x29            Zlib compressed data, default compression

$> ll _out.img-0.extracted/_F000.png.extracted/
.rw-rw-r--    0 erik  5 Oct 13:12 29
.rw-rw-r-- 1.2M erik  5 Oct 13:12 29.zlib

It’s the same size as before (1.2M) which leads me to believe we’re just looping around on the same data. I don’t really know though.

TCP 11

This stream contained a file called monstrum_piscis_tres containing 420 lines of data which just looks like garbage:

/+NIxAAAAAAAAAAAAFhpbmcAAAAPAAAA+wAAXWAABggLDhASFBYYHCAiIyYoLC40NTg5PUFFR0lK
TU5UVVhZXF1iZWdpa21xdHZ4en6Cg4aIio6Rk5WXmJucoaOmp6qtsbO1t7m8wMHDxcfKzc7R0tXX
...
VVVVVVVV/+MYxMQAAANIAcAAAFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVV

Monstrum Piscis Tres -> MP3

$> tr -d '\n' < blob.txt | base64 -d > monstrum_piscis_tres.mp3

$> file monstrum_piscis_tres.mp3
monstrum_piscis_tres.mp3: MPEG ADTS, layer III,  v2.5,  32 kbps, 8 kHz, Monaural

Playing back the file you hear a beep and something in the background.

I used SoX to create a spectogram of the file:

The spectogram clearly shows that there’s a constant tone at 1kHz. I used ffmpeg to remove the constant tone:

$> ffmpeg -i monstrum_piscis_tres.mp3 -af "equalizer=f=1000:width_type=h:width=100:g=-60" no1k.wav

Playing back this file, it’s quite clear that someone is saying something. The voice has that obvious “speaking backwards” sound though, so:

$> ffmpeg -i no1k.wav -af areverse reversed.wav

Playing this back we can hear that someone is reading:

I N K <pause> E M W <pause> 2 G J F J U Q X J A

This matches the Base32 alphabet:

$> echo -n 'INKEMW2GJFJUQXJA' | base32 --decode

CTF[FISH]

We have flag: CTF[FISH]

TCP 12 - 16

TCP Stream 12 shows some communication with an FTP Server. From the succeeding streams it’s possible to extract two files:

ctf.txt

ctf.txt contains these sentences:

If you take the filename excluding the file extension, three letters you know, you have the start of the flag as you know. Maybe you can take, uhm, the last two words in the fourth sentence and make a flag of that, do not forget the characters [] surrounding the flag. You do not have to insert anything between the two words.

Let’s break this down:

If you take the filename excluding the file extension, three letters you know, you have the start of the flag as you know.

This yields: ctf.

Maybe you can take, uhm, the last two words in the fourth sentence and make a flag of that,

This should be: a guess

do not forget the characters [] surrounding the flag. You do not have to insert anything between the two words.

We have flag: ctf[a guess] – I guess?

Ps: If anyone from CERT-SE reads this write-up. Per your recommendation, I tried just dumping the whole text into ChatGPT 5:

Can you find a flag on the format ctf[] or CTF[] in this text?

Capture the Flag (CTF) is more than just a competitive game. It’s a …

and the LLM returned:

Thought for 38s

ctf[a guess]

(From “ctf[” as the filename hint + the last two words of the 4th sentence: “a guess”.)

passwd_policy.txt

It is important to secure and protect our data. This is done using SUPERSECURE passwords. Lucky for us, we have gotten hold of a great password list. The policy is as following:

1. Always use passwords from our password list, “rockyou.txt”, you can find it online.
2. Do not alter the password from the list.
3. Never change your password.
4. The shorter the better, so you remember them.
5. Always add the flag format surrounding your password.
6. When you need to change your password, fill in the password reset form in the lobby of the building.

I’m not quite sure whether this is a red herring or something useful. If I come across an encrypted file, I guess I know where to get my passwords, but I have not found such a file yet.

Following the UDP Streams

Alongside the TCP streams there are 93 UDP streams. They were all quite short so I figured I’d see what ASCII data was extractable from them. I started by converting (is that the right word?) the UDP stream pcap-files to binary data:

mkdir -p streams
for f in *.pcap; do
  base="${f%.pcap}"
  tshark -r "$f" -Y udp -T fields -e data 2>/dev/null | sed '/^$/d' | while read -r h; do
    printf "%s" "$h" | xxd -r -p >> "streams/${base}.bin"
  done
done

and then I ran through all files and base64 decoded everything:

$> for i in $(seq 0 92); do
  f=streams/udp_stream_${i}.bin
  [ -s "$f" ] || continue
  base64 -d "$f" 2>/dev/null || true
  echo
done

space
5
3
2
2
enter
mouse_1
mouse_1
mouse_1
w
w
w
.
c
e
r
t
.
s
e
enter
mouse_1
scroll_dwn
mouse_1
scroll_dwn
mouse_2
ctrl
c
mouse_1
ctrl
v
mouse_1
c
t
f
[
k
e
y
l
o
g
_
o
v
e
r
_
u
d
p
]
enter
mouse_1
mouse_1
mouse_1
scroll_up
mouse_1
mouse_2
enter
n
e
s
s
i
e
space
i
s
space
n
o
t
space
a
space
m
o
n
s
t
e
r

Did you catch that?!

c
t
f
[
k
e
y
l
o
g
_
o
v
e
r
_
u
d
p
]

We have flag: ctf[keylog_over_udp]

I have carried this table in my mental hip pocket, always ready to show a doubting customer or team member how much time we can save if we automate a specific task.² However automation is not solely about saving time. I would even argue that the time saved by running an automation, instead of doing the automated tasks manually, is just a positive side effect of the automation.

The primary reason to automate something is not to save time, it is to codify knowledge and ensure reproducibility.

As an example, the table tells us the following:

• Frequency of task: Monthly
• Time shaved off task: 5 minutes
• Total time saved over 5 years: 5 hours

One could look at this and think: “As long as we believe we will do this task for the next five years and we spend less than five hours automating the task, it is worth doing.”, but I think that mindset is wrong. There is more to be gained! By automating a task, we create a step-by-step guide which tells a computer (and therefore us and our future colleagues) exactly how to perform the task. The code we write is unambiguous³, whereas most documentation I have read (and written) is not. In order for our automation to be useful, it must omit nothing; but authors of documentation frequently forget things or simply ignore to add steps they consider trivial.

Another important thing about the automation is that it – if written properly and executed regularly – will break and alert us that something about our target system has changed. Even the most well written runbook can become outdated and my experience is that ensuring all of our documentation in Confluence is still up to date and accurate, is an infrequent issue in most teams’ sprints.

The code is the documentation

I have always been a proponent of documentation. Having worked as a consultant the majority of my career, few things make me happier than a well functioning internal wiki, to kick start an assignment and getting up to speed. I am also really fond of writing documentation; leave me alone with draw.io and a markdown editor and I’ll be in my happy-place. Over time though, I have steered away from writing pure documentation (i.e., a separate text file describing a resource or process) and instead focused on trying to always incorporate the “documentation” into the resource itself.

In the light of the introduction of this post, I think the reason is obvious. If given the option, I will always choose to codify my knowledge in an executable format; because the code is truth.

I’m sure you have heard the phrase:

The code is the documentation.

You probably have an opinion about the phrase too.

I think there are developers who throw this phrase around simply because they dislike writing documentation, both as comments in their code but also as standalone documents. Maybe it’s out of laziness, incompetence, or they see the reasoning I lay out in this post and believe it’s reasonable to take it to its utmost extreme. I do not believe this extreme is reasonable. Most of the time, we shall not write code, leave it without comments, and expect our future selves and colleagues to understand it. At least not benefit from it fully.

However, I also think there are developers out there who has internalised the same conclusion as I have: It is very difficult (maybe even impossible) to write documentation that describes anything in a more exact and concise way than the source code itself already does. Therefore, any documentation we write must be well thought through, kept up to date, and describe why we chose to write a particular piece of code. There’s almost never any reason to describe what the code does.

What, when and how I document

To wrap up this post, I want to give a short list of kinds of documentation and how I use them.

Runbooks

The only time you should write a runbook is as a notes-document, the first time you step through a procedure. That way, when you automate the task you can reference your runbook before you delete it.

Naturally, only Sith deal in absolutes.

Way of Working documents

Early in my career I held a lot of scrum master/team lead positions. I also (therefore?) wrote a lot of documentation about different processes. My closest manager(s) did and the product owners usually did too. They usually loved them. Likely because they did not talk to the team every day, the documents became the window through which they tried to understand why the teams made certain decisions and worked in certain ways. PO:s in particular also loved to use the way-of-working documents in their argumentation when there was a disagreement.

Adherence to those documents from the team? Let’s just say it was not 100%.

What I have come to learn is that it’s futile to attempt to change ways of working by defining processes. Writing down the current ways of working is also just busy work, because it is close to impossible to describe all intricacies that goes on in a team on the daily. Should you succeed, the document is just a snapshot and ways of working are dynamic. It is bound to become outdated.

Source code

If your code achieves what it is meant to do, you should – within reason – not have to document what it does. However, it is certainly a good idea to spend quite a lot of time writing your code in a way that is understandable.

Programs must be written for people to read, and only incidentally for machines to execute.

– Harold Abelson (Structure and Interpretation of Computer Programs)

Once I have unlocked the “understandable and functional-code” achievement, I usually spend some extra time going over the code to see if it’s clear why I wrote the code in this way. I tend to err on the side of caution and comment a little bit more than what is necessary, but I think this is reasonable approach.

Architectural Decision Records (ADR:s)

Sometimes a team or organisation makes a decision that is worth remembering. Well, not only the decision itself, but the rationale behind the decision and also the consequences of making the decision. Adding a comment to a source code file is a bad idea, because it would probably result in a comment longer than the combined code in that file but also because it hides the decision in a stowed away file in a specific project.

The concept of Architectural Decision Records is a great way to document such decisions. I usually propose that ADR:s contain the following four headings:

Context

Decision

Rationale

Consequence

A pleasant side effect of this practice is that your aggregated ADR:s is likely to inform your team’s and/or organisation’s ways of working. For instance, in my current assignment, we write specific Team ADR:s to document decisions we have made about concepts, tools, or best practices. We keep these ADR:s in a dedicated repository and frequently reference them. When an ADR becomes outdated we update it and make it clear it is no longer to be adhered to, but we leave it in the repo and if there’s a new ADR replacing the old one we reference the new one.

Git

My opinion is that developers are usually not great at neither writing nor reading commit messages. If we utilise our commit messages to convey meaningful information about our commits – as opposed to just writing fix and add feature x – we can really help our future selves and our colleagues.

As I wrote earlier, if we write understandable source code and include comments that explains the context for particularly intricate pieces of code, that is good. We can improve on this further by adding more prose like explanations and motivations in the commit message.

I am a fan of Conventional Commits.

If you plug in a new UniFi device on your network and it does not show up for adoption in your UniFi Network Application UI, try switching the VLAN of the port in the upstream switch to be the same as the VLAN where you have your controller.

I am fairly sure I have been able to adopt devices using Default (1) as the setting on the switch, but I recently bought a couple of USW-Flex-2.5G-5 switches as well as two U7-Pro-Max to extend my lab for work and the first switch refused to show up under UniFi Devices. When I switched the upstream switch’s port to the same VLAN as where I run my Home Assistance instance (which in turn hosts my UniFi Network Application) it showed up straight away.

Once the device has been adopted (and potentially updated) you can switch it to whichever VLAN you want.

pfSense + OpenVPN & Wireguard

Since a couple of years back, I’m running pfSense² and when I setup my first pfSense box I naturally deployed an OpenVPN Server to go with it. Certificate based auth was just a couple of clicks away and the service has been serving my household very well for several years. I did dabble a little bit with Wireguard too, but truth be told I never really got it to work the way I wanted it to.

Tailscale as a mesh network

A couple of years ago, I first heard about Tailscale. I figured it seemed like a nice product, but I didn’t really have a need for such a solution at the time. This all changed when I wanted to have a NAS at my mother’s place to act as an off-site backup. Her crappy, ISP-provided, little router/firewall/switch combo-box did not have the possibility to run a VPN Server. I also doubt her ISP would provide a public IP for her. Lastly, even if both of these assumptions proved to be incorrect, I would not want to setup port forwarding in her firewall.

Well….

I started to look into Tailscale a little bit more and found that it was perfectly suited for this use case. I sat down to install Tailscale on the NAS and on my laptop, deployed a simple Allow all ACL configuration, and they could talk within minutes. I joined my phone and all three devices were now able to talk to each other as if they were on the same LAN.

Sweet.

Tailscale as a regular VPN

Tailscale solved the problem:

How should I be able to communicate with a device which is not really accessible over the public Internet?

but I still ran my OpenVPN Server in parallel for a long time (years), simply because I wasn’t sure whether Tailscale would be able to satisfy my other VPN-needs.

Until this past weekend.

I did some more reading and learned about two critical features for me:

1. Subnet routers
2. Exit nodes

The former let you extend your Tailscale network (known as a tailnet) to include devices that don’t or can’t run the Tailscale client, and the latter can be used to tell your device to route all traffic through your tailnet – not only the traffic that is going between Tailscale-adopted devices.

My Tailscale configuration

In pfSense, I have installed the Tailscale package and configured it s.t. it offers to be an exit node and advertises routes. More specifically, I have advertised the subnet corresponding to the VLAN where I have the things I want to be able to connect to as well as /32-CIDR which points at the IP of my reverse proxy. I have also enabled both Accept DNS and Accept Subnet Routes.

On the Tailscale side I have the following grants:

{
 "grants": [
    // Allow admin-devices to reach everything
    {
      "src": ["tag:admin-devices"],
      "dst": ["*"],
      "ip": ["*"]
    },

    // Allow family-devices to reach HA Proxy VIP
    {
      "src": ["tag:family-devices"],
      "dst": ["10.10.11.1/32"],
      "ip": ["*:80", "*:443"]
    },

    // Allow admins and family members to use Tailscale as an exit node
    {
      "src": ["tag:admin-devices", "tag:family-devices"],
      "dst": ["autogroup:internet"],
      "ip": ["*"]
    },

    // Grant access to Synology NAS @ mom's
    {
      "src": ["tag:admin-devices", "tag:pfsense"],
      "dst": ["tag:synology-mom"],
      "ip": ["*"]
    }
  ]
}

NOTE: The last grant, paired with a NAT rule in pfSense, allows devices on specific IP:s to communicate directly with the off-site NAS even though they do not have Tailscale installed on them. Very convenient.

All in all, my configuration has proven itself over the past week and I have disabled my OpenVPN Server. My only complaint thusfar is that the Tailscale iOS client is quite the battery drainer, so the VPN On Demand feature isn’t really useful.

Start

First thing I did was to check for anything readable in the provided .pcap:

strings CERT-SE_CTF2024.pcap | less

and I quickly found an IRC conversation! Super fun, especially since I use IRC on a daily basis. I noticed that the IRC conversation was between two users (An4lys3r and D3f3nd3r) and by filtering the output based on users’ IPs I was able to get something quite readable.

Extracting the IRC conversation

strings CERT-SE_CTF2024.pcap | grep '@10.0.0.' | less

I have trimmed some excessive data to make the conversation more readable.

:irc.ctf.alt 001 D3f3nd3r :Welcome to the Internet Relay Network D3f3nd3r!~user1@10.0.0.20
L:D3f3nd3r!~user1@10.0.0.20 JOIN :#emergency
:irc.ctf.alt 001 An4lys3r :Welcome to the Internet Relay Network An4lys3r!~user1@10.0.0.10
:An4lys3r!~user1@10.0.0.10 JOIN :#emergency
n:An4lys3r!~user1@10.0.0.10 JOIN :#emergency
D3f3nd3r :hello
An4lys3r :aaaah, at last, it's working!
D3f3nd3r :well done setting up the emergency environment so fast!
An4lys3r :Thanks. I'm glad we did a test run a couple of months ago
D3f3nd3r :Yes, I agree
An4lys3r :So what do we know so far, why is our production environment not accessible
D3f3nd3r :Well, I'm in the data center now and the consoles I managed to look at is showing a ransom note.....
An4lys3r :so it's that bad
D3f3nd3r :yup
An4lys3r :Have you found any clue to what group and ransom strain is used, if we are lucky enough there is a free decryptor available
D3f3nd3r :I would not bet on it, but I'll transfer the ransom note to you shortly.
D3f3nd3r :SHA-256 checksum for /home/user/emergency_net/DCC/RANSOM_NOTE.gz (remote): 7113f236b43d1672d881c6993a8a582691ed4beb4c7d49befbceb1fddfb14909
An4lys3r :Thanks, I'll have a look.
D3f3nd3r :I managed to access our FPC system and it looks like it is untouched. I will try carving out pcaps from days / weeks before the encryption started from different segments.
An4lys3r :good, put them on the ftp, I'll have a look at that later.
D3f3nd3r :by the way, Christine came by and handed me a disk image from one of the clients, see if they left any clues on disk. I'll upload it to the ftp shortly.
An4lys3r :We totally need external help, restoring and investigating this incident will be a massive task. You don't happen to have the contact info to Allsafe, I think our rep is called Elliot?
D3f3nd3r :Agree, I already called them in. He is here now sharing some interesting stuff.
D3f3nd3r :They picked up some info on a closed forum regarding our situation, someone posted a WORDLIST scraped from our public website. And they where ranting about recording network traffic from a windows workstation called CTF-PC01. I'll upload the file to the ftp.
D3f3nd3r :He also handed over a strange looking string CTF[E65D46AD10F92508F500944B53168930], does it make sense to you?
An4lys3r :not really, but why don't you ask john?
D3f3nd3r :Alright, I'll see what I can do with it.
An4lys3r :To keep in mind, he also mention they have intel about a suspicious IP address involved in C2 and exfiltration activities lately, the IP is 195.200.72.82

Flag in IRC conversation

Looking at the IRC conversation above, the first flag was right there.

Flag: CTF[E65D46AD10F92508F500944B53168930]

Flag in .pcap

While using strings I tried to just grep for more flags:

$> strings ../CERT-SE_CTF2024.pcap | grep 'CTF\['
7PASS CTF[AES128]
!PASS CTF[AES128]
W_PRIVMSG #emergency :He also handed over a strange looking string CTF[E65D46AD10F92508F500944B53168930], does it make sense to you?
r:D3f3nd3r!~user1@10.0.0.20 PRIVMSG #emergency :He also handed over a strange looking string CTF[E65D46AD10F92508F500944B53168930], does it make sense to you?

Idk if this is too obvious, but the instructions from Cert say flags should have the format CTF[...], so…

Flag: CTF[AES128]

Flag in RANSOME_NOTE.gz (DCC)

In their IRC conversation, the users talk about a file RANSOM_NOTE.gz which they have apparently received from the hackers. For some reason they opted to send this using DCC instead of using the FTP-server they’ll be using throughout the rest of their conversation :p

By grepping for DCC in the .pcap I was able to find the initialisation message:

DCC SEND RANSOM_NOTE.gz 167772170 40899 95285 221

The above contains the integer representation of the IP address (167772170 -> 10.0.0.10) and the port being used for the transfer (40899). The documentation does not mention the last two numbers that is part of the message, but I presume they are the size of the transfer (95285) and maybe the block size used(?).

I opened up Wireshark and filtered accordingly:

ip.addr == 10.0.0.10 && tcp.port == 40899

whereafter I right-clicked on the first package in the list, chose Follow -> TCP Stream, made sure to go to the bottom left of the dialogue and choose only one side of the conversation (the one that is 95kB), choose Show data as Raw and then save the data to a file called RANSOM_NOTE.gz.

The IRC conversation kindly contains the sha256sum for the ransom note and I was able to verify that my file had the same hash: 7113f236b43d1672d881c6993a8a582691ed4beb4c7d49befbceb1fddfb14909.

After decompressing the file:

gunzip RANSOM_NOTE.gz

I got a 279943 byte large text file, starting like this:

CCCCCCCCCCCTCCCCCFCCCCC[CCCCCOCCCCCRCCCCTCCCCCTTCCCCTFCCCCT[CCCCTOCCCCTRCCCCFCCCCCFTCCCCFFCCCCF[CCCCFOCCCCFRCCCC[CCCCC[TCCCC[FCCCC[[CCCC

I tried a handful of different things to no avail, but after talking a little bit to a friend he said there was only one ] in the entire file (something I thought I had already checked) and because of this I tested to just grep for flags:

$> grep -o -E 'CTF\[[a-zA-Z0-9]*\]' ransom_note
CTF[OR]

I felt so stupid. I really thought I checked this one.

Flag: CTF[OR]

FTP Files in original .pcap

In the IRC conversation we can see multiple references to files being uploaded to an FTP server. By filtering on ftp in Wireshark we can practically follow the progress of all of these files (gotta love encryption, right?).

I show the entire communication for file 1, below, but for the other files I have only included the relevant parts.

$> tshark -r CERT-SE_CTF2024.pcap -Y "ftp" -T fields -e _ws.col.Info

-- file 1 --

Response: 220 INetSim FTP Service ready.
Request: USER anonymous
Response: 331 Please specify the password.
Request: PASS NcFTP@
Response: 230 Login successful.
Request: PWD
Response: 257 "/"
Request: FEAT
Response: 500 Unknown command.
Request: HELP SITE
Response: 214-The following commands are recognized.
Response:  ABOR CDUP CWD  DELE HELP LIST MKD  MODE
Request: CLNT NcFTPPut 3.2.6 linux-x86_64-libc5
Response: 500 Unknown command.
Request: CWD /
Response: 250 Directory successfully changed.
Request: TYPE I
Response: 200 Switching to BINARY mode.
Request: SIZE corp_net1.pcap
Response: 500 Unknown command.
Request: PORT 10,0,0,20,143,63
Response: 200 PORT command successful.
Request: STOR corp_net1.pcap
Response: 150 Ok to send data.
Response: 226 File receive OK.
Request: MDTM 20240904045628 corp_net1.pcap
Response: 500 Unknown command.
Request: QUIT
Response: 221 Goodbye.

-- file 2 --

Response: 220 INetSim FTP Service ready.
Request: SIZE corp_net2.pcap
Request: PORT 10,0,0,20,151,169

-- file 3 --

Request: SIZE disk1.img.gz
Request: PORT 10,0,0,20,228,239

-- file 4 --

Request: SIZE WORDLIST.txt
Request: PORT 10,0,0,20,146,93

The approach for fetching the content of each file is the same:

1. Find the IP:port being used, which in this case is 10.0.0.20 followed by <first integer> * 256 + <second integer>. For the first file the port is: 143 * 256 + 63 = 36 671.

2. Use Wireshark the same way we got the DCC file:

   • Follow
   • TCP Stream
   • Choose one side of the communication
   • Save Raw data

corp_net1.pcap (from FTP in original .pcap)

Let’s have a look at the content.

I used the same approach for this .pcap as I did for the first one: strings. After quickly scanning through the file I noticed more FTP traffic. More specifically, this (truncated):

$> tshark -r corp_net1.pcap -Y "ftp" -T fields -e _ws.col.Info

Request: SIZE puzzle.exe
Request: PORT 192,168,137,28,136,69

Request: SIZE Recycle-Bin.zip
Request: PORT 192,168,137,28,199,239

Request: SIZE archive
Request: PORT 192,168,137,28,206,7

As before, I retrieved the files by following the TCP Streams.

Flag in DNS traffic (in corp_net1.pcap)

I scrolled to the bottom of the file and saw some funny looking DNS traffic. In particular, a bunch of packages containing the word OPT.

[…] EDNS adds information to DNS messages in the form of pseudo-Resource Records (“pseudo-RR”s) included in the “additional data” section of a DNS message. Note that this section exists in both requests and responses.

EDNS introduces a single pseudo-RR type: OPT.

As pseudo-RRs, OPT type RRs never appear in any zone file; they exist only in messages, fabricated by the DNS participants.

Wikipedia: Extension Mechanisms for DNS

Well, maybe there’s something there:

$> tshark -r corp_net1.pcap -Y "dns.opt" -T fields -e dns.qry.name

RFIE4RYNBINAUAAAAAGUSSCEKIAAAAUAAAAADYAIAIAAAAF2
WNF3GAAAAABXGQSJKQEAQCG34FH6
AAAABOKUSRCBKR4NV3O
[a bunch of more rows]
AC
BQAAEDAABAAAAOAAAA4AAABQAAQMAABAYAFU6ELWSNASK
RT5R57UAAAAAACJIVHEJLSCMCBA====

At first, I got very excited. It’s Base64!!! But Base64 can never have more than two equal signs for padding :(

What about Base32 encoding?

Looking at the first line retrieved it seems like we’re onto something:

$> base32 --decode <<< RFIE4RYNBINAUAAAAAGUSSCEKIAAAAUAAAAADYAIAIAAAAF2
�PNG
�
IHDR��%    

Could there be an image hidden here?

$> while read -r line; do echo "$line" | base32 --decode >> image.png; done < opt_strings

base32: invalid input
base32: invalid input
base32: invalid input
[many more rows]

Hmm.

I manually tested the second row:

$> base64 --decode <<< WNF3GAAAAABXGQSJKQEAQCG34FH6                
X�wW�)@!��Q�%  

at least not an error… But the third line could not be decoded with either base32 nor base64.

Flag in puzzle.exe (from FTP in corp_net1.pcap)

A natural approach here would be to execute the program, but I don’t own a Windows PC….

Instead, the first thing I tried was to hexdump the file. The last segment of the dump showed this:

01239050  2e 2e 77 2e 2e 2e 3f 2e  2e 2e 37 2e 2e 2e 2e 38  |..w...?...7....8|
01239060  70 79 74 68 6f 6e 33 31  32 2e 64 6c 6c 2e 2e 2e  |python312.dll...|
01239070  2e 2e 2e 2e 2e 2e 2e 2e  2e 2e 2e 2e 2e 2e 2e 2e  |................|
*
012390a0

and

$> strings your_program.exe | grep -i pyinstaller

._pyi_main_co....Traceback is disabled via bootloader option.....PYINSTALLER_RESET_ENVIRONMENT...1......._PYI_ARCHIVE_FILE......._PYI_APPLICATION_HOME_DIR......._PYI_PARENT_PROCESS_LEVEL......._PYI_SPLASH_IPC.0.......Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s
.PYINSTALLER_STRICT_UNPACK_MODE..Failed to initialize security descriptor for temporary directory!
.....pyi-python-flag.Py_GIL_DISABLED.pyi-runtime-tmpdir......pyi-contents-directory..pyi-disable-windowed-traceback..PYINSTALLER_SUPPRESS_SPLASH_SCREEN......Failed to load splash screen resources!
.........Could not load PyInstaller's embedded PKG archive from the executable (%s)
.....Could not side-load PyInstaller's PKG archive from external file (%s)
.._pyinstaller_pyz........PYZ archive entry not found in the TOC!

indicates that the .exe was created using PyInstaller.

I tried pyinstxtractor.py but it throws the error:

[+] Processing puzzle.exe
[!] Error : Missing cookie, unsupported pyinstaller version or not a pyinstaller archive]

and my conclusion is that pyinstxtractor.py does not support Python 3.12 (which seems to be the version used for the .exe).

Second thing I tried was actually starting the .exe in Wine. That did not work, so I tried dosbox. That did not work either…

Third thing was to enlist a friend with a Windows computer! He was able to start the application and found that it’s a puzzle game (who would’ve thought…). If you do enough of the puzzle the flag can be read of the screen.

Flag: CTF[HAPPYBIRTHDAY] (potentially with a space between Y and B)

Recycle-Bin.zip (from FTP in corp_net1.pcap)

I started with the obvious:

$> unzip Recycle-Bin.zip 
Archive:  Recycle-Bin.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of Recycle-Bin.zip or
        Recycle-Bin.zip.zip, and cannot find Recycle-Bin.zip.ZIP, period.

I tried repairing the archive:

$> zip -FF Recycle-Bin.zip --out Recycle-Bin-fixed.zip && unzip Recycle-Bin-fixed.zip

which yielded a new directory: C in which I could find some stuff:

C/$Recycle.Bin/S-1-5-21-2433278764-4034921937-2507072421-1164 $> ll
total 1.8M
'$I0BN3IA.pdf'
'$I0DKZRU.txt'
'$I0G1V6C.txt'
'$I0P8KGD.txt'
'$I0S90LB.txt'
'$I1341CT.txt'
'$I15ZRRO.txt'
'$I161W3Y.txt'
'$I18MLB2.txt'
'$I1APZ4K.txt'
'$I1E5HE8.txt'
'$I1QVT66.txt'
'$I27B4VA.txt'
'$I283B2L.txt'
'$I2UBK07.jpg'
-- and much more --

I wrote a simple script to check whether any flags were hiding in plain sight:

find . -type f | while read -r file; do
    grep -Eo 'CTF' "$file" && echo "Found in: $file"
done

but was unable to find anything.

Then I wrote another script to check the output of file for each file. The output is summarised below:

-- the majority of files were identified as Matlab files --
$I0BN3IA.pdf Matlab v4 mat-file (little endian) \330\367\332\0018, sparse, rows 0, columns 17051
$IZQJF50.txt Matlab v4 mat-file (little endian) \326\367\332\001=, sparse, rows 0, columns 4
...

-- second most common file type was ASCII or ASCII with CRLF line terminators -- 
$R0G1V6C.txt ASCII text
$R0P8KGD.txt ASCII text, with CRLF line terminators
...

-- then I found some images and some other files --
$R2UBK07.jpg JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 614x460, components 3
$R5QEV86.jpg JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 614x460, components 3
$RAUCOEZ.jpg JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 614x460, components 3
$RKKFUN8.jpg JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 614x460, components 3

$RDE2VJ7.ps1 Unicode text, UTF-8 (with BOM) text, with no line terminators
$R7ZRFQY.ps1 Unicode text, UTF-8 (with BOM) text, with no line terminators

$RCXHUFJ.zip Zip archive data, at least v2.0 to extract, compression method=deflate

$RL7SXXI.exe PE32 executable (GUI) Intel 80386, for MS Windows

$R0BN3IA.pdf PDF document, version 1.7, 1 pages (zip deflate encoded)
$R92DY1S.pdf PDF document, version 1.7, 1 pages (zip deflate encoded)
$RGRASUC.pdf PDF document, version 1.7, 1 pages (zip deflate encoded)
$RJLEGV5.pdf PDF document, version 1.7, 1 pages (zip deflate encoded)

The .pdf files listed above all contained a lorem ipsum paragraph and nothing more.

The images were hand drawn images of cats and dogs (and one image just had CAT written by hand in it).

Both powershell scripts contained: Write-Host "Räkna ut din riktiga ålder"

The zip archive contained a NewFileTime.txt with the following content:

Server:

https://www.softwareok.de/?Download=NewFileTime
https://www.softwareok.com/?Download=NewFileTime
https://www.softwareok.eu/?Download=NewFileTime

http://www.softwareok.de/?Download=NewFileTime
http://www.softwareok.com/?Download=NewFileTime
http://www.softwareok.eu/?Download=NewFileTime

and a NewFileTime_x64.exe.

Running the NewFileTime_x64.exe seems to launch the application which can be downloaded from softwareok.com. What a lovely website – but I don’t know what good the program is for…

I then checked the dates for the files created. Two files stood out as they were created years ago (not weeks like the other files).

$> ls -lat
160 Jun  6  1984 '$I80Z3YX.txt'
 84 Jun  6  1984 '$R80Z3YX.txt'

and the contents of those files are:

$> cat \$I80Z3YX.txt       
T�)�����BC:\Users\aleksej.pazjitnov\Downloads\INKEMW2QIVHFIT2NJFHE6U25.txt%

$> cat \$R80Z3YX.txt       
Jamborino Jamboro Archipelago Island Apple Horse
Monkey Dog
Kit Kat House Flower

Aleksej Pazjitnov created Tetris in 1984. This has to be some sort of clue?

Flag in archive (from FTP in corp_net1.pcap)

According to file, archive is a gzip compressed archive:

$> file archive
archive: gzip compressed data, from Unix, original size modulo 2^32 847

so I added a .gz extension to the file and attempted to unpack it using gunzip:

$> gunzip archive.gz    
gzip: archive already exists; do you wish to overwrite (y or n)? y

Out the other end came a new file, which was also a gzip archive. And then another one. And another one.

But I kept at it, running my one liner:

$> mv archive archive.gz && gunzip archive.gz && file archive && cat archive

until finally:

$> mv archive archive.gz && gunzip archive.gz && file archive && cat archive
archive: POSIX tar archive (GNU)
input0000664000175000017500000000100714661054721010664 0ustar  useruser�����`f�S�����͌>��9��H���%00�S:v��G��c!�wO����1?��~R���?�S�f���ykr�ey�g��~wnl^����kq�١��e��b�"6>|��:����WS�'9�{ċ^��'g���I��k�ѓ����>ޗ�ss��Uǚ]��_������mk��������U֍�ߛ�?�z�����I����]Ͽ[[yi���=����*��������R![]�������n����z�����������ﻷ�[_U����+w����������/�?U7��z}����ìs�~�x������u�������)�o�~����7u�_o.���2���/m�~�����}��ׂSU�k��ߟ[��w׷/�O���o����������[?��r��ӐM_sS�O&�1V�UTr�y~���]BB�\F��������[m�<f��-�f��੭u�������|�9@����W6iј���46+�y�����%       

A TAR!!

$> tar xvf archive
input

$> cat input 
�����`f�S�����͌>��9��H���%00�S:v��G��c!�wO����1?��~R���?�S�f���ykr�ey�g��~wnl^����kq�١��e��b�"6>|��:����WS�'9�{ċ^��'g���I��k�ѓ����>ޗ�ss��Uǚ]��_������mk��������U֍�ߛ�?�z�����I����]Ͽ[[yi���=����*��������R![]�������n����z�����������ﻷ�[_U����+w����������/�?U7��z}����ìs�~�x������u�������)�o�~����7u�_o.���2���/m�~�����}��ׂSU�k��ߟ[��w׷/�O���o����������[?��r��ӐM_sS�O&�1V�UTr�y~���]BB�\F��������[m�<f��-�f��੭u�������|�9@����W6iј���46+�y�����%                                   erik@pop-os: ~/Nextcloud/-shared/ctf $> file input 
input: gzip compressed data, from Unix, original size modulo 2^32 496

really ?

After repeating the process of alternating gunzip and tar I finally was rewarded:

$> mv input input.gz && gunzip input.gz && file input && cat input
input: ASCII text
CTF[IRRITATING]

Flag: CTF[IRRITATING]

corp_net2.pcap (from FTP in original .pcap)

A bunch of TLS traffic. Haven’t investigated this further.

disk1.img.gz (from FTP in corp_net1.pcap)

$> file disk1.img
disk1.img: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,32,33), end-CHS (0x82,138,8), startsector 2048, 2095104 sectors

Let’s mount this using the offset calculated as:

Offset = Start Sector × Sector Size
       = 2048 × 512 bytes
       = 1,048,576 bytes

$> sudo mount -o loop,offset=1048576 disk1.img $(pwd)/diskmount

$> ls -la diskmount
total 12
drwxr-xr-x 2 root root 4096 Jan  1  1970 .
drwxrwxr-x 3 erik erik 4096 Oct  1 10:39 ..
-rwxr-xr-x 1 root root   48 Sep 24 09:54 secret.encrypted

$> file diskmount/secret.encrypted 
diskmount/secret.encrypted: openssl enc'd data with salted password

I fetched openssl2john.py from GitHub and used it to convert the encrypted secret to a hash.

python openssl2john.py diskmount/secret.encrypted > secret.hash

I then downloaded John the Ripper and tried to use the WORDLIST.txt we found earlier to see if we could find a match:

$> ./john --wordlist=WORDLIST.txt secret.hash
Loaded 1 password hash (openssl-enc, OpenSSL "enc" encryption [32/64])
NATHAN           (secret.encrypted)     
1g 0:00:00:00 DONE (2024-10-01 11:24) 50.00g/s 10000p/s 10000c/s 10000C/s 123456..SEPTEMBER
Session completed. 

But I believe NATHAN was a false positive as I was unable to use it for decrypting the secret.encrypeted file.

$> openssl enc -d -aes-256-cbc -md sha256 -in diskmount/secret.encrypted -pass pass:NATHAN
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40F7EEBFD27E0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
� �P6�i�@�^EiR%   

I also tried adding the pbkdf2 flag:

$> openssl enc -d -pbkdf2 -aes-256-cbc -md sha256 -in diskmount/secret.encrypted -pass pass:NATHAN
bad decrypt
40572AB1327D0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
˺4�G�ҹ��8=�%

I then skipped wrote a little script that tried all passwords in WORDLIST.txt and found several matches (NICOLE, BEAUTIFUL, …) but they all turned out to be false positives.

When I tested John the Ripper with rockyou.txt I got thousands of false positives and somewhere around here I gave up for now.

I also tried all passwords in WORDLIST.txt (after removing the brackets) in combination with all ciphers and digests using this script:

#!/bin/bash

ENCRYPTED_FILE="diskmount/secret.encrypted"
WORDLIST="WORDLIST.txt"
OUTPUT_FILE="secret.decrypted"
CIPHERS=("aes-256-cbc" "aes-192-cbc" "aes-128-cbc" "des3" "des")
DIGESTS=("md5" "sha1" "sha256" "sha512")

check_decryption() {
    FILE_TYPE=$(file -b "$1")
    if [[ "$FILE_TYPE" != "data" ]]; then
        return 0
    else
        return 1
    fi
}

while IFS= read -r PASSWORD; do
    for CIPHER in "${CIPHERS[@]}"; do
        for DIGEST in "${DIGESTS[@]}"; do
            openssl enc -d -"${CIPHER}" -md "${DIGEST}" -in "${ENCRYPTED_FILE}" -out "${OUTPUT_FILE}" -pass pass:"${PASSWORD}" 2>/dev/null
            if [ $? -eq 0 ] && check_decryption "${OUTPUT_FILE}"; then
                echo "Success with password: $PASSWORD, cipher: $CIPHER, digest: $DIGEST"
                echo "Content of decrypted file:"
                echo "$(cat ${OUTPUT_FILE})"
                mv ${OUTPUT_FILE} "${OUTPUT_FILE}$(date)"
            fi
        done
    done
done < "${WORDLIST}"

erik@pop-os: ~/Nextcloud/-shared/ctf/disk1 $> bash script.sh
Success with password: BEAUTIFUL, cipher: aes-128-cbc, digest: sha256
Content of decrypted file:
���70̙�Kt��
��[f�
�W��0jo d�_3

Note that the bash script found BEAUTIFUL with cipher aes-128-cbc which I sort of take as a hint that I’m on the right way, because one flag was literally: CTF[AES128]. That has to be a hint?!

$> file secret.decrypted 
secret.decrypted: Non-ISO extended-ASCII text

I actually tried running this file through the same script (maybe it’s double-encrypted?!), but got nothing out of it.

WORDLIST.txt (from FTP in corp_net1.pcap)

I think it makes sense that this file should be used to decrypt the file in the image mounted above…

I’m currently working with a client who has a very extensive support agreement with their users. The client develops embedded software for a plethora of different PLCs and because of this it’s not always super easy to find compilers. (Or, it’s rather the case that the company that makes the PLC also creates a compiler and you need both in order to create your product.) Because of the way my client offer support, they must ensure that they can build and patch their software for years to come. It is not infeasible that my client will need to re-build and patch a product they released back in 2010. So how do I help my client make sure they can do this?

Over the past couple of years – and long before I came into the picture – the client has built a very good build system based on Docker. In essence, the build system checks a config file in the product’s repository, downloads the appropriate Docker images and executes the build/test commands specified in the config. Any solution I come up with must be compatible with this way of working. I have therefore spent the past couple of days creating a new Docker image + config to build yet another (old) product.

Windows. For real?

When my client told me that part of the build included a compiler which only runs on Windows, my heart stopped a little. Note the part of. The product is cross-compiled, makes use of compilers that only run on Linux and uses one compiler which only runs on Windows – yay!

A predecessor of mine had configured a way of building this project in a Linux environment using Wine for the Windows compiler and my instructions from the client were clear:

Try to replicate the old build system as closely as possible!

So… the task was to create a Docker image and a build config, capable of running both the Linux compilers and the super old Windows-only compiler.

Wine in Docker

The first thing I did was to check whether anyone else had been crazy enough to attempt this already. Naturally, someone had -> scottyhardy/docker-wine.

I looked through Scotty’s code and borrowed the Wine installation step he cooked up:

# Install Wine
RUN wget -nv -O- https://dl.winehq.org/wine-builds/winehq.key | APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add - \
    && echo "deb https://dl.winehq.org/wine-builds/ubuntu/ $(grep VERSION_CODENAME= /etc/os-release | cut -d= -f2) main" >> /etc/apt/sources.list \
    && dpkg --add-architecture i386 \
    && apt-get update \
    && DEBIAN_FRONTEND="noninteractive" apt-get install -y --install-recommends winehq-stable \
    && rm -rf /var/lib/apt/lists/*

Thereafter I needed to figure out how to install the Windows compiler. Naturally, the compiler cannot be installed headless but makes use of an install wizard in which you must click: Next > Next > Next > .... How do you do that while building a Docker image?

Well, you use Xvfb to create a virtual framebuffer in your build process and open Wine inside of it, in order to trick the installer that it’s actually running in a GUI and that someone is repeatedly clicking along in the wizard.

ENV DISPLAY=:0
RUN xvfb-run --auto-servernum --server-args="-screen 0 1024x768x16" bash -c \
    "wine /opt/compiler.exe & \
    pid=\$! && while kill -0 \$pid 2> /dev/null; do \
    xdotool key Return; \
    echo 'Pressed Enter'; \
    sleep 15; \
    done && wait \$pid && echo 'Wine process finished'"

In Swedish, you can say that you “do violence” on something, and I think this is exactly what that expression is meant to be used for. I feel like I have done violence on both Docker and Wine and the poor compiler. But it works(!) and the client is happy.