A simple task named spcap (simple pcap). We open it with wireshark and get the Statistics->Conversations. Some SSH, HTTP on it. Apply this filter on HTTP:

ip.addr==172.16.133.133 && tcp.port==52694 && ip.addr==172.16.133.149 && tcp.port==80

We notice that if we follow TCP stream there’s a GET request file called “/files/flag.jpg”, so we have to get it.

files_flag_wireshark

 

The last step is recover the file from pcap with File->Export->Objects->HTTP and select the file:

get_files_http

 

Flag is on this file:

flag

 

Flag: ASIS_de67c0eafdd76d7b38f67f7a458a83a1

No hay contenido relacionado



3 thoughts on “ASIS CTF – simple pcap “spcap” writeup

  1. Thanks for the write-up. I think this challenge may have been simplified during the contest. I had a no GET /files/flag.jpg but instead a number of files in the following format: /files/1e13be50f05092e2a4e79b321c8450d4. combining them didn’t seem to produce much so i was stuck. Anybody solve the non-simple version of this?

    Thanks

    1. Thanks for comment. I think challenge you mention is pcap (there are 3 pcap challenge, spcap, pcap and pcaps, this one no one solve it!).
      On the second pcap there are 52 tcp streams and one of them has this text:
      Hi
      hello
      I need secret key
      ok
      secret key will be sent on 6 parts
      secret key : part 1 is M)m5s6S
      did you received part 1 of secret key?
      yes please send part 2
      part 2 of secret key is ^[>@#
      I recieved part 2
      ok. please send me the other parts too
      part 3 of secret key is Q3+1
      did you received part 3?
      yes
      are you ready to receive part 4?
      yes, please send
      part 4 is 0PD.
      ok. i received part 4
      Please send me part 5
      ok
      part 5 of secret key is KE#cy
      I received part 5
      part 6 of secret key is PsvqH
      ok. I received all parts of secret key.
      Thanx

      Later, you got to download and concatenate files to a a 7z that contains an image with the flag (7z password protected with (“M)m5s6S^[>@#Q3+10PD.KE#cyPsvqH”) password ) :-)

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *