foren_trade.pcapThis is a basic forensic question. This is my approach. I only used Wireshark Follow TCP Stream feature.
Fortunately, the provided pcap file is not big so I skimmed every line.
In the pcap file I found some clues for the flag. Between hosts exchanged the key and flag.txt is sent in a zip file.
>> 50 40 03 04 is the signature for zip file
I used the Follow TCP Stream function (Analyze >> Follow >> TCP Stream, shortcut - Ctrl + Alt + Shift + T) to downlad the zip file.
The string is
504b03040a00090000006e80774e2064e5de480000003c00000008001c00666c61672e7478745554090003c04a965cc04a965c75780b000104e803000
004e80300001c0786f2a0ac34d99333f0b9192dcbb4745efd2fe45b7db533f00ad89b7512b8213a65f95e827be6c2638fac42c4a133bb22d5e92a958a18
3ebdae0ca39b3bfce5c46b5d96883b5c504b07082064e5de480000003c000000504b01021e030a00090000006e80774e2064e5de480000003c000000
080018000000000001000000b48100000000666c61672e7478745554050003c04a965c75780b000104e803000004e8030000504b0506000000000100
01004e0000009a0000000000
And I saved it and when I opened the zip file I found the flag.txt. However, it needs a password for extraction so I looked through some lines. Easily I could find the password that is securinetsXD
BUT, this is not all. I had to decode one more time using base64. In the flag.txt file there is
> c2VjdXJpbmV0c3s5NTRmNjcwY2IyOTFlYzI3NmIxYTlmZjg0NTNlYTYwMX0
$ echo "c2VjdXJpbmV0c3s5NTRmNjcwY2IyOTFlYzI3NmIxYTlmZjg0NTNlYTYwMX0" | base64 -d
Flag : securinets{954f670cb291ec276b1a9ff8453ea601}
Reference site: https://www.ctfsecurinets.com/challenges#Easy%20Trade
'<개인공부> - IT > [CTF (Write up)]' 카테고리의 다른 글
| Basic password cracking (MD5, SHA1, ..) (0) | 2020.07.02 |
|---|---|
| Chaos Communication Camp 2019 (Ancient Data) (0) | 2019.08.28 |
| TAMUctf '19 Write-up (I heard you like files) (0) | 2019.03.24 |
| TAMUctf '19 Write-up (Hello World) (0) | 2019.03.24 |
| Pragyan CTF 19' Write-up / Welcome (0) | 2019.03.18 |
