+1 (512) 588 6950

Wireshark twoo — Forensics| PicoCTF Write-up

Home/Wireshark twoo — Forensics| ...
Wireshark twoo — Forensics| PicoCTF Write-up


  1. Open the shark2.pcapng task file in Wireshark

Let’s look for any Suspicious Packet

2. Search for Strings such as flag, txt, pico, as it is the CTF or any other relevant words similar to what we are expected to find

3. By Searching for the word flag we found an HTTP Request which has a GET request to /flag

4. Right-click and Follow the HTTP Stream.

GET /flag HTTP/1.1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 73
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Mon, 10 Aug 2020 01:39:19 GMT



At the Bottom, you can see a flag-like string, But unfortunately, this is not the Flag. Let’s look for DNS Requests.

5. Apply the dns filter in Wireshark

Here we can see there are some random base64 encoded strings prefixed in front of the domain so let’s try to decode Everything
So In order to do that we need to Export the Capture file as csv to further Analysis with python

6. Export the Capture by Clicking file → Export packet dissections

7. The python code below will read the Lines in the Exported csv file and first performs a regular expression search for the string “Standard query .+ A (.+)” to filter out the domains as it has a string “Standard query”

8. Then the base64 Encoded part is Split out from the Domain to b64_portion

9. Then the b64_portion is decoded and stored intob64_decoded

10. And further it is decoded by Utf-8 Encoding Scheme and stored into ascii_portion which is then added to a result variable based on a condition that if the val(ascii_portion) and if the current ascii_portion not equals to the end value of result (pre value)

The val()method returnsTrue if letters in the given string,
1. is not an Alphabet and
2. is not a Number and
3. is not a “{” and
4. is not a “}” and
5. is not a “_”
Else False

import re
import base64

result = ”

def val(s):
for c in s:
if not c.isalpha() and not c.isnumeric() and not c == ‘{‘ and not c == ‘}’ and not c == ‘_’:
return False
return True

# Make sure to write the Actual name of csv you used to save.
# Here I saved my csv file as capture.csv

with open(‘capture.csv’, ‘r’) as f:
line = f.readline()
while line:
if ‘Standard query’ in line:
m =”Standard query .+ A (.+)”, line)
b64_portion = m[1].split(‘.’)[0]
b64_decoded = base64.b64decode(b64_portion)

ascii_portion = b64_decoded.decode(‘utf-8’)


if val(ascii_portion) and not result.endswith(ascii_portion):
result += ascii_portion

line = f.readline()

print(‘Flag:’, result)



Ans: picoCTF{dns_3xf1l_ftw_deadbeef}

Feel Free to Ask Queries via LinkedIn : )

Thank you for Reading!!

Happy Capturing ~

Author: Karthikeyan Nagaraj

ctf , forensics , wireshark , capture the flag , challenge , writeup , flag , karthikeyan nagaraj , cyberw1ng

Leave a Reply