Forensics

Someone steal my flag!

Wireshark

We’re giving a pcap file and need to find the flag.

First thing we look at the protocol hierarchy statistics. We notice that most of the tcp traffic is SSH and SSL/TLS. There’s a lot of ICMP with DNS requests.

If we look at the DNS requests most of the successful dns requests go from 192.168.191.129 to 192.168.191.2. All the dns requests going from 192.168.191.128 to 192.168.191.129 don’t work.

Also if we notice the requests that 192.168.191.128 is doing have a particular structure. It’s number/letters (Hex?) followed by the same IP.

Using this filter allows us to see only those requests

ip.src == 192.168.191.128 && ip.dst == 192.168.191.129 && dns && !icmp

If we take the string before the ip and put them together we get this super long string

56476870637942706379426849484e6c59334a6c64434230636d4675633231706448526c5a43423061484a766457646f494752756379427864575679655341364b534247544546484c555a554e44646a545667794e6e425865555a5453545a53554664685533493157564a330a

If we assume it’s hex if gives us

56476870637942706379426849484e6c59334a6c64434230636d4675633231706448526c5a43423061484a766457646f494752756379427864575679655341364b534247544546484c555a554e44646a545667794e6e425865555a5453545a53554664685533493157564a330a | xdd -r p 

VGhpcyBpcyBhIHNlY3JldCB0cmFuc21pdHRlZCB0aHJvdWdoIGRucyBxdWVyeSA6KSBGTEFHLUZUNDdjTVgyNnBXeUZTSTZSUFdhU3I1WVJ3

I tried entering that as the answer but it didn’t work. So we’ll assume it’s encoded again. Finally got it after trying base64

VGhpcyBpcyBhIHNlY3JldCB0cmFuc21pdHRlZCB0aHJvdWdoIGRucyBxdWVyeSA6KSBGTEFHLUZUNDdjTVgyNnBXeUZTSTZSUFdhU3I1WVJ3 | base64 -d 

This is a secret transmitted through dns query :) FLAG-FT47cMX26pWyFSI6RPWaSr5YRw

The flag is FLAG-FT47cMX26pWyFSI6RPWaSr5YRw