shark2.pcapng task file in WiresharkLet’s look for any Suspicious Packet
2. Search for Strings such as flag, txt, pico, as it is the CTF or any other relevant words similar to what we are expected to find
3. By Searching for the word flag we found an HTTP Request which has a GET request to /flag
4. Right-click and Follow the HTTP Stream.
GET /flag HTTP/1.1
Host: 18.217.1.57
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 73
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Mon, 10 Aug 2020 01:39:19 GMT
picoCTF{bfe48e8500c454d647c55a4471985e776a07b26cba64526713f43758599aa98b
At the Bottom, you can see a flag-like string, But unfortunately, this is not the Flag. Let’s look for DNS Requests.
5. Apply the dns filter in Wireshark
Here we can see there are some random base64 encoded strings prefixed in front of the domain reddshrimpandherring.com so let’s try to decode Everything
So In order to do that we need to Export the Capture file as csv to further Analysis with python
6. Export the Capture by Clicking file → Export packet dissections
7. The python code below will read the Lines in the Exported csv file and first performs a regular expression search for the string “Standard query .+ A (.+)” to filter out the domains as it has a string “Standard query”
8. Then the base64 Encoded part is Split out from the Domain to b64_portion
9. Then the b64_portion is decoded and stored intob64_decoded
10. And further it is decoded by Utf-8 Encoding Scheme and stored into ascii_portion which is then added to a result variable based on a condition that if the val(ascii_portion) and if the current ascii_portion not equals to the end value of result (pre value)
The val()method returnsTrue if letters in the given string,
1. is not an Alphabet and
2. is not a Number and
3. is not a “{” and
4. is not a “}” and
5. is not a “_”
Else False
import re
import base64
result = ”
def val(s):
for c in s:
if not c.isalpha() and not c.isnumeric() and not c == ‘{‘ and not c == ‘}’ and not c == ‘_’:
return False
return True
# Make sure to write the Actual name of csv you used to save.
# Here I saved my csv file as capture.csv
with open(‘capture.csv’, ‘r’) as f:
line = f.readline()
while line:
if ‘Standard query’ in line:
m = re.search(r”Standard query .+ A (.+)”, line)
b64_portion = m[1].split(‘.’)[0]
b64_decoded = base64.b64decode(b64_portion)
try:
ascii_portion = b64_decoded.decode(‘utf-8’)
except:
pass
else:
if val(ascii_portion) and not result.endswith(ascii_portion):
result += ascii_portion
line = f.readline()
print(‘Flag:’, result)
Output:
Ans: picoCTF{dns_3xf1l_ftw_deadbeef}
Feel Free to Ask Queries via LinkedIn : )
Thank you for Reading!!
Happy Capturing ~
Author: Karthikeyan Nagaraj
ctf , forensics , wireshark , capture the flag , challenge , writeup , flag , karthikeyan nagaraj , cyberw1ng