PicoCTF Writeup – shark on wire 1

Information: 

 

CTF Name: PicoCTF

CTF Challenge: shark on wire 1

Challenge Category: Forensics

Challenge Points: 150

PicoCTF 2019.

 

# Challenge Description: 

 

 
We found this packet capture. Recover the flag.
 
There is a file to be downloaded in the words packet capture.
 
Relevant hints: Try using a tool like Wireshark. What are streams?

Writeup 

 
This is a very interesting challenge! To solve this we must use a tool that I did not use before on any post in this blog – Wireshark
 
I know that we have to use Wireshark mainly because I am familiarised with the tool but also because of the title of the challenge – shark on wire 1. If this was not clear enough they provide us with a hint that suggests us to use Wireshark.
 
Knowing this I then read the description. It looks like there is a packet to be downloaded inside the words packet capture.
 
This packet is named: capture.pcap. After a simple internet search, I found out that .pcap is an extension that can be open with Wireshark. In particular, pcap is an API for capturing network traffic, Wireshark is a tool that allows us to capture packets and open/read previous captures.
 
Knowing this I went to my virtual machine, which already has the Wireshark installed, and opened the file, this was the result:
 

 

This file has thousands of communications. I needed some help to filter this out to be able to find the flag. I went back to the description of the challenge, in particular, the second hint: “What are streams?
 
Streams in computer networks a sequence of data elements made available over time. This is very interesting but I was basically the same. In which way could this information help me? I went back to the browser and searched for “streams in Wireshark“. Then I found this URL. It looks like it is possible to follow a data stream in Wireshark and catch the communication as seen in the application layer (See OSI model).
 
The steps for doing so are also explained in the link above.
 
Analyze → Follow  UDP Stream
 

 

After clicking on UDP Stream this page opened up:
 

 

It corresponds to the udp.stream eq 0. It looks like it is the 1st UDP stream, with index 0.
It is easy to see that no picoCTF flag is in this stream. I decided to increment the Stream index in the bottom right corner of the image below, under the red arrow, by one until I find something useful. After a few interactions I found this:
 
 
It turns out that the flag was on the Stream with the index 6.
 
And the flag is:
 
Show flag
picoCTF{StaT31355_636f6e6e}

The image source can be found here.

Thank you very much for reading!

Cheers,

MRegra

Leave a Reply

Your email address will not be published. Required fields are marked *