CTF, Wargame,

ASIS CTF – simple pcap “spcap” writeup

0
Shares


A simple task named spcap (simple pcap). We open it with wireshark and get the Statistics->Conversations. Some SSH, HTTP on it. Apply this filter on HTTP:

ip.addr==172.16.133.133 && tcp.port==52694 && ip.addr==172.16.133.149 && tcp.port==80

We notice that if we follow TCP stream there’s a GET request file called “/files/flag.jpg”, so we have to get it.

files_flag_wireshark

 

The last step is recover the file from pcap with File->Export->Objects->HTTP and select the file:

get_files_http

 

Flag is on this file:

flag

 

Flag: ASIS_de67c0eafdd76d7b38f67f7a458a83a1

No hay contenido relacionado



3 Comments

na

septiembre 1, 2013

ah, sorry didn’t see that one during the competition – thanks for the nfo on the pcap challenge :)

Responder

na

septiembre 1, 2013

Thanks for the write-up. I think this challenge may have been simplified during the contest. I had a no GET /files/flag.jpg but instead a number of files in the following format: /files/1e13be50f05092e2a4e79b321c8450d4. combining them didn’t seem to produce much so i was stuck. Anybody solve the non-simple version of this?

Thanks

Responder

tunelko

septiembre 1, 2013

Thanks for comment. I think challenge you mention is pcap (there are 3 pcap challenge, spcap, pcap and pcaps, this one no one solve it!).
On the second pcap there are 52 tcp streams and one of them has this text:
Hi
hello
I need secret key
ok
secret key will be sent on 6 parts
secret key : part 1 is M)m5s6S
did you received part 1 of secret key?
yes please send part 2
part 2 of secret key is ^[>@#
I recieved part 2
ok. please send me the other parts too
part 3 of secret key is Q3+1
did you received part 3?
yes
are you ready to receive part 4?
yes, please send
part 4 is 0PD.
ok. i received part 4
Please send me part 5
ok
part 5 of secret key is KE#cy
I received part 5
part 6 of secret key is PsvqH
ok. I received all parts of secret key.
Thanx

Later, you got to download and concatenate files to a a 7z that contains an image with the flag (7z password protected with (“M)m5s6S^[>@#Q3+10PD.KE#cyPsvqH”) password ) :-)

Responder

Leave a Reply

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.