Contents

picoCTF - Forensics - Packets Primer


Forensics - Packets Primer - writeup

description

Download the packet capture file and use packet analysis software to find the flag.

Download packet capture

writeup

Ok so we got a .pcap file as a download:

1
network-dump.flag.pcap

Lets look at the content using wireshark.

1
wireshark -r network-dump.flag.pcap

I found some interesting traffic:

1
4       0.001225        10.0.2.15       10.0.2.4        TCP     126     48750 → 9000 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=60 TSval=2379213157 TSecr=1760620995

Looking at the hex dump of that transaction I can see the following:

1
2
3
4
5
6
7
8
0000   08 00 27 93 ce 73 08 00 27 af 39 9f 08 00 45 00
0010   00 70 50 c2 40 00 40 06 d1 b3 0a 00 02 0f 0a 00
0020   02 04 be 6e 23 28 27 ec d4 b7 bd 26 99 bc 80 18
0030   01 f6 18 75 00 00 01 01 08 0a 8d cf e9 65 68 f0
0040   f1 c3 70 20 69 20 63 20 6f 20 43 20 54 20 46 20
0050   7b 20 70 20 34 20 63 20 6b 20 33 20 37 20 5f 20
0060   35 20 68 20 34 20 72 20 6b 20 5f 20 32 20 65 20
0070   64 20 64 20 37 20 65 20 35 20 38 20 7d 0a

That translates to the following:

1
2
3
4
'Îs'¯9EpPÂ@@ѳ

¾n#('ìÔ·½&¼öu
ÏéehðñÃp i c o C T F { p 4 c k 3 7 _ 5 h 4 r k _ 2 e d d 7 e 5 8 }

There is our flag!

flag:

1
p i c o C T F { p 4 c k 3 7 _ 5 h 4 r k _ 2 e d d 7 e 5 8 }

Lets put that string into cyberchef using the operation ‘Remove whitespace’

the result is:

1
picoCTF{p4ck37_5h4rk_2edd7e58}