Welcome to our blog post on Capture the Flag (CTF) challenge for Telecom domain by P1Security.
One of the most widely used protocol in Telecom domain (2G & 3G) is SS7, also known as Signaling System 7, is a protocol used in telecommunications networks to facilitate the transfer of information between different networks. However, with the rise of SS7-based attacks, it is crucial to understand the potential vulnerabilities and security risks associated with this protocol. In this post, we will delve into the world of SS7 security and explore the use of CTF challenges as a means to test and improve network defenses. So, whether you're a cybersecurity enthusiast or a network administrator, read on to learn more about the importance of SS7 security and how CTFs can help you stay one step ahead of the attackers.
The CTF challenge comprises of a total of 6 challenges involving the analysis of PCAP files to find the flag hidden among a bunch of SS7 packets. A basic understanding of the SS7 protocol stack, especially MAP, TCAP, and SCCP, is required to complete the CTF challenge.
Image Source: https://www.geeksforgeeks.org/what-is-ss7-protocol-stack/
The difficulty varies for each level of the CTF, but it ranges between easy to medium, except for the last flag which is challenging.
Link for CTF Challenge: https://ctf.p1sec.fr/
Challenge 1: Identify Yourself
Objective: Find the MSISDN associated with listed IMSI by analyzing the PCAP file
Solution:
Download the PCAP file for Challenge 1, and open it in the Wireshark
You are presented with a bunch of GSM MAP (Mobile Application Part) packets with an OpCode set to "SendRoutingInfoForSM" abbreviated as "SRI-SM". It is used to query the IMSI (International Mobile Subscriber Identity) for a given MSISDN (Mobile Subscriber Integrated Services Digital Network Number) for sending Short Messages over SS7.
Next, we need to find the packets that contain the IMSI listed in the challenge. To do this, expand the MAP layer of the SRI-SM response packet until the IMSI is visible. Then, right-click and choose 'Apply as filter' and replace it with the IMSI from the challenge on the search bar.
After filtering the SRI-SM record with our IMSI, it will leave only one response packet. Next, we need to find the respective request packet having associated MSISDN. The request and response are tracked at the TCAP layer via the Transaction ID. Applying the filter using the identified Transaction ID will bring up the Invoke SRI-SM request packet. Expand the MAP layer to find the MSISDN and submit the flag.
Click here for the solution of Challenge 2.