picoCTF Solutions
PathPart of the Digital Forensics path · Step 2 of 5: Network Packet Analysis
picoCTF 2022ForensicsMedium

Eavesdrop picoCTF 2022 Solution

Published: July 20, 2023

Description

A packet capture contains an encrypted attachment plus a plaintext conversation describing how to decrypt it. Follow the TCP streams in Wireshark to find the decrypt command, extract the binary data, and run openssl des3 to reveal the flag.

Read the technique guide

  • Wireshark and pcap Analysis for CTF ForensicsA hands-on guide to analyzing network packet captures (pcap files) in CTF competitions using Wireshark and tshark: following TCP streams, finding credentials, extracting files, and applying display filters.

Setup

Download capture.flag.pcap

Open the PCAP in Wireshark. Browse packets until you see a TCP stream with readable chat text (port 9001).

Right-click a packet in the chat stream and choose Follow > TCP Stream to read the conversation.

The conversation includes the openssl decrypt command and the password.

Find the binary transfer on port 9002, follow that stream, save the raw data as a hex dump, then convert to binary with xxd.

Run the openssl command from the chat to decrypt the file.

bash
# In Wireshark: follow TCP stream on port 9001 to read the decrypt command
bash
# Follow TCP stream on port 9002, show data as Hex, copy and paste into xxd
bash
xxd -r -p file.hex file.des3
bash
openssl des3 -d -salt -in file.des3 -out flag.txt
bash
cat flag.txt

Solution

Walk me through it
  1. Step 1Follow the chat stream
    In Wireshark, filter by port 9001 or browse packets with 41-byte payloads. Right-click a matching packet and choose Follow > TCP Stream. The conversation contains the openssl command and password in plain text.
    Learn more

    Wireshark's Follow TCP Stream reassembles all TCP segments from a conversation and displays the payload in order. Both sides of the chat are shown with different colors. The password and the exact openssl command to use both appear verbatim - there is no encryption on the chat channel, which is the vulnerability being demonstrated.

    Inside the chat stream, the password appears verbatim in one of the messages where one party tells the other how to decrypt the file. There is no key exchange, no key derivation - it is just typed into a TCP socket in cleartext. That is the entire vulnerability illustrated by this challenge.

  2. Step 2Extract the encrypted file and decrypt it
    In Wireshark, follow the TCP stream on port 9002. Switch the display to Hex and copy the raw hex data. Use xxd -r -p to convert it to binary, saving the result as file.des3. Then run the openssl des3 decrypt command from the chat conversation to produce the plaintext flag file.
    bash
    # In Wireshark: follow TCP stream port 9002, show as Hex, copy all hex
    bash
    xxd -r -p file.hex file.des3
    bash
    openssl des3 -d -salt -in file.des3 -out flag.txt
    bash
    cat flag.txt
    Learn more

    Wireshark can show stream data as raw hex. Copying that hex and converting it with xxd -r -p recreates the original binary file without needing tcpflow or tshark. The -r flag reverses the dump (hex to binary) and -p selects plain hex format with no address offsets.

    Triple DES applies DES three times per block. The openssl command the chat specifies uses des3 -d to decrypt, -salt to indicate the ciphertext has a random salt prepended, and -in / -out for the file paths. The deeper lesson: encryption without secure key exchange is useless. TLS solves this with Diffie-Hellman or RSA key exchange so the secret never traverses the wire in cleartext.

Flag

picoCTF{nc_73115_411_0ee72...}

A perfect example of why you should never discuss crypto keys in plaintext channels.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

Do these first

What to try next