Challenge Overview
Download this packet capture and find the flag.
- Download packet capture
Solution
wget https://artifacts.picoctf.net/c/135/capture.flag.pcap
For this challenge I used tcpflow on the pcap file. You can do it through wireshark as well though.
Run this command to install tcpflow if you don't already have it.
sudo apt install tcpflow -y
Then I ran this command:
tcpflow -r capture.flag.pcap
This gets all the transmitted file with "tcpflow -r". Here are all the files in the working directory so far after running tcpflow.
The sending/received ip's are at the start and then the port that it is over for the way the files are named.
Afer running file * it is clear what files contain what.
I started with this command (because that file was the first ascii text file): cat 010.000.002.004.09001-010.000.002.015.57876. This gave one side of a converstation.
I then went on to the next ascii text file in hopes this was the other side of the converstation (which it was): cat 010.000.002.015.57876-010.000.002.004.09001. This side of the converstation looked like this:
First big thing is it shows how to decrypt the file: openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123.
Second thing it says that the file is over port 9002.
There was only one file that was extracted over port 9002.
And this file shows that it is "openssl enc'd data with salted password" which matches what is expected.
I then did this command: mv 010.000.002.015.56370-010.000.002.004.09002 file.des3. This was done to match the syntax of there given command.
Then I ran the openssl decrypting line: openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123.
Since the output file is called file.txt I then did cat file.txt and the flag was displayed from that file.
Flag: picoCTF{nc_73115_411_0ee72...}