Network
Last updated
Last updated
Our SOC analysts saw some strange DNS traffic. Wanted you to figure out what was exfiltated , can you check it and sum it up ?
Given PCAP file, open it using wireshark. Looking at each packet i found suspicious printable characters.
If we go to next packet we will see printable character at the same location. Those printable character are stored at Checksum identifier on each packet. To simplify the process, i apply checksum as column then export the packets.
Last, just create simple script to get the checksum value.
Flag: ctf{4cp_4nd_4dp_ch3cksum5_4r3_3v1l_pr00v3_m3_wr0ng_jhunidr}
We captured some pretty bizzare looking communications, but part of them are encrypted.
Can you help?
Flag Format: CTF{sha256}
Given PCAP file, open it using wireshark. We can see that there are TLS/HTTPS packets and HTTP packets.
Lets take a look on one of HTTP request
From HTTP request above we can see that it switch the protocol to websocket and we can see websocket packet on the same TCP stream.
Sorting the packet, i tried to inspect packet based on its kind.
There are two interesting data, private key and ssl-keys log. At first i tried to add private key but nothing happen.
So the next step is try to add ssl-keys.log to Preferences > Protocols > TLS > (Pre)-Master-Secret log filename.
Take a look on recorded packets again, there are some TLS packets decrypted and there is one packet (frame 1631) that consist of another part of the ssl-keys.log.
Next, combine that data and store on new file (new-keys.log). After that change the (Pre)-Master-Secret log to the new new-keys.log
Inspecting each packet again and you'll see flag at frame 557.
Flag: CTF{ec4a9fda046b09e2dce095f772262c766a857ac041c9cf3745cdd2a76a8b5819}
