Forensics - Eavesdrop - writeup
description
Download this packet capture and find the flag.
Download packet capture
writeup
Let’s first download this file:
https://artifacts.picoctf.net/c/364/capture.flag.pcap
1
2
3
4
5
6
7
8
9
10
11
12
| wget https://artifacts.picoctf.net/c/364/capture.flag.pcap
--2022-03-17 18:29:49-- https://artifacts.picoctf.net/c/364/capture.flag.pcap
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 108.157.4.16, 108.157.4.118, 108.157.4.13, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|108.157.4.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7518 (7.3K) [application/octet-stream]
Saving to: 'capture.flag.pcap'
capture.flag.pcap 100%[=======================================>] 7.34K --.-KB/s in 0s
2022-03-17 18:29:50 (92.7 MB/s) - 'capture.flag.pcap' saved [7518/7518]
|
Ok so we have a file called ‘capture.flag.pcap’.
We can open this file using wireshark to take a look at
the network traffic.
1
| wireshark -r capture.flag.pcap
|
In the traffic I found something interesting:
1
2
3
4
| '¯9'ÎsE]i@@¹
#)âsúìçX#3Òþ/
i>d@ѤEHey, how do you decrypt this file again?
|
1
2
3
4
| 'Îs'¯9EDêP@@8Q
â#)X#3ÒsúíöI
Ñ¥ci>d@You're serious?
|
1
2
3
4
| '¯9'ÎsEFi@@¹
#)âsúíX#3âþð
i>¦Ñ¥cYeah, I'm serious
|
1
2
3
4
5
| 'Îs'¯9EêR@@8
â#)X#3âsúí"ö
Ñ¥ði>¦*sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
|
1
2
3
4
| '¯9'ÎsEGi@@¹
#)âsúí"X#45þ}ï
i?ñÑ¥ðOk, great, thanks.
|
1
2
3
4
| 'Îs'¯9EcêT@@8.
â#)X#45súí5öh
ѦNJi?ñLet's use Discord next time, it's more secure.
|
1
2
3
4
| '¯9'ÎsEgi@@¸ð
#)âsúí5X#4dþr
i?øxѦNJC'mon, no one knows we use this program like this!
|
1
2
3
4
| 'Îs'¯9E>êV@@8Q
â#)X#4dsúíhöC
Ѧi?øxWhatever.
|
1
2
3
4
| '¯9'ÎsE9i@@¹
#)âsúíhX#4nþ¥±
i@"ºÑ¦Hey.
|
1
2
3
4
| 'Îs'¯9E:êX@@8S
â#)X#4nsúímö?
Ѧ»gi@"ºYeah?
|
1
2
3
4
| '¯9'ÎsE]i@@¸ö
#)âsúímX#4tþ£è
i@gçѦ»gCould you transfer the file to me again?
|
1
2
3
4
| 'Îs'¯9EMêZ@@8>
â#)X#4tsúíöR
ѧ:Ái@gçOh great. Ok, over 9002?
|
1
2
3
4
| '¯9'ÎsEEi@@¹
#)âsúíX#4þüê
i@ï¨Ñ§:ÁYeah, listening.
|
1
2
3
4
| 'Îs'¯9E<ê\@@8M
â#)X#4súí§öA
ѧ®Åi@ï¨Sent it
|
1
2
3
4
| '¯9'ÎsE<i@@¹
#)âsúí§X#4þË
iAa+ѧ®ÅGot it.
|
1
2
3
4
| 'Îs'¯9EHê^@@8?
â#)X#4súí¯öM
Ѩ4iAa+You're unbelievable
|
We have seen in this conversation that someone
has sent a file to someone.
The file must have been transferred between the responses
“Sent it” and “Got it.”
This has to be the data that was sent:
1
2
3
4
5
6
7
8
| 0000 08 00 27 93 ce 73 08 00 27 af 39 9f 08 00 45 00 ..'..s..'.9...E.
0010 00 64 ac 90 40 00 40 06 75 f1 0a 00 02 0f 0a 00 .d..@.@.u.......
0020 02 04 dc 32 23 2a 5e a2 8b c7 40 5f 54 6d 80 18 ...2#*^...@_Tm..
0030 01 f6 18 69 00 00 01 01 08 0a d1 a7 93 f4 69 41 ...i..........iA
0040 0c 67 53 61 6c 74 65 64 5f 5f f0 a3 17 73 9d af .gSalted__...s..
0050 48 04 2b 93 5e 31 00 59 ae ea 2d 69 e9 ab e6 d7 H.+.^1.Y..-i....
0060 b9 9a bd 16 1f a6 fe 46 d0 f6 7d d7 47 fe 7c 76 .......F..}.G.|v
0070 ce 0d ..
|
So this is the hex dump:
1
| 53616c7465645f5ff0a317739daf48042b935e310059aeea2d69e9abe6d7b99abd161fa6fe46d0f67dd747fe7c76ce0d
|
Decoded to ASCII that is:
1
| Salted__ð£.s.¯H.+.^1.Y®ê-ié«æ×¹.½..¦þFÐö}×Gþ|vÎ
|
After googling a bit I found out that the prefix ‘Salted__’ most probably
means that this was encrypted using the ‘openssl enc’ command
We already have found the command in the traffic that was used
to encrypt the file:
1
| openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
|
So I used wirehark to download the salted file into a file
1
2
3
| file file.txt
file.txt: openssl enc'd data with salted password
|
We can see that this was encoded with openssl.
Since we now know the command and the password that was used to encode it.
I can try to decode it now:
1
| openssl des3 -d -in file.txt -out decoded.txt -k supersecretpassword123
|
1
2
3
| cat decoded.txt
picoCTF{nc_73115_411_91361db5}
|
Here is our flag!
1
| picoCTF{nc_73115_411_91361db5}
|
We managed to successfully find the encrypted data in the network traffic
and decrypt it to get the flag!
