Ph4nt0m 1ntrud3-Forensics challenge writeup(ctf)

Click here to open the challenge

Category :FORENSIC

Author: PRINCE NIYONSHUTI N

Flag format : picoCTF{}

Challenge description: given us the pcap file and instructed us to find the flag within it.

Hint: 1.Filter your packets to narrow down your search.

2.Attacks were done in timely manner.

3.Time is essential

Then continued opening the file using wireshark and found that each packet have a tcp data encoding using base64 and packets is not ordered by the time.

I decided to use tshark to get the tcp data from each packet.

using this command:

“ tshark -r myNetworkTraffic.pcap -Y "tcp" -T fields -e tcp.segment_data | xxd -p -r | base64 -d”

I din’t get the correct flag because we don’t need some packets

Then using the following command the tcp packets are filtered.

using this command:

“tshark -r myNetworkTraffic.pcap -Y "tcp.len==12" -T fields -e tcp.segment_data | xxd -p -r | base64 -d”

There's the flag but not in the correct order.Usinfg the other hints i decided to order the packets using the capture time .

using this command:

“tshark -r myNetworkTraffic.pcap -Y "tcp.len==12 || tcp.len==4" -T fields -e frame.time -e tcp.segment_data | sort -k4 | awk '{print $6}' | xxd -p -r | base64 -d”

-Y "tcp.len==12 || tcp.len==4" -This display filter selects TCP packets with a payload length of exactly 12 bytes or 4 bytes.

- -t fields: output only selected fields (instead of full packet dump).

- -e frame.time : shows the timestamp.

- -e tcp.segment_data :shows the raw TCP payload (the actual hidden data)

here's the flag: picoCTF{1t_w4snt_th4t_34sy_tbh_4r_af160980}

Happy Hacking!!