Wireshark twoo — Forensics| PicoCTF Write-up | 100 Points

Wireshark twoo twoo (100 Points)— PicoCTF Forensics Challenge Writeup | Karthikeyan Nagaraj

Description:

Can you find the flag? shark2.pcapng.

Tool Used — Wireshark

Task File:

https://mercury.picoctf.net/static/7b8e53329b34946177a9b5f2860a0292/shark2.pcapng

Analysis

1. Open the shark2.pcapng task file in Wireshark

Let’s look for any Suspicious Packet

2. Search for Strings such as flag, txt, pico, as it is the CTF or any other relevant words similar to what we are expected to find

3. By Searching for the word flag we found an HTTP Request which has a GET request to /flag

4. Right-click and Follow the HTTP Stream.

GET /flag HTTP/1.1
Host: 18.217.1.57
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 73
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Mon, 10 Aug 2020 01:39:19 GMT

picoCTF{bfe48e8500c454d647c55a4471985e776a07b26cba64526713f43758599aa98b

At the Bottom, you can see a flag-like string, But unfortunately, this is not the Flag. Let’s look for DNS Requests.

5. Apply the dns filter in Wireshark

Here we can see there are some random base64 encoded strings prefixed in front of the domain reddshrimpandherring.com so let’s try to decode Everything
So In order to do that we need to Export the Capture file as csv to further Analysis with python

6. Export the Capture by Clicking file → Export packet dissections

7. The python code below will read the Lines in the Exported csv file and first performs a regular expression search for the string “Standard query .+ A (.+)” to filter out the domains as it has a string “Standard query”

8. Then the base64 Encoded part is Split out from the Domain to b64_portion

9. Then the b64_portion is decoded and stored intob64_decoded

10. And further it is decoded by Utf-8 Encoding Scheme and stored into ascii_portion which is then added to a result variable based on a condition that if the val(ascii_portion) and if the current ascii_portion not equals to the end value of result (pre value)

The val()method returnsTrue if letters in the given string,
1. is not an Alphabet and
2. is not a Number and
3. is not a “{” and
4. is not a “}” and
5. is not a “_”
Else False

import re
import base64

result = ''

def val(s):
    for c in s:
        if not c.isalpha() and not c.isnumeric() and not c == '{' and not c == '}' and not c == '_':
            return False
    return True

# Make sure to write the Actual name of csv you used to save.
# Here I saved my csv file as capture.csv

with open('capture.csv', 'r') as f:
    line = f.readline()
    while line:
        if 'Standard query' in line:
            m = re.search(r"Standard query .+ A (.+)", line)
            b64_portion = m[1].split('.')[0]
            b64_decoded = base64.b64decode(b64_portion)

            try:
                ascii_portion = b64_decoded.decode('utf-8')

            except:
                pass

            else:
                if val(ascii_portion) and not result.endswith(ascii_portion):
                    result += ascii_portion

        line = f.readline()

print('Flag:', result)

Output:

Ans: picoCTF{dns_3xf1l_ftw_deadbeef}

Feel Free to Ask Queries via LinkedIn : )

Thank you for Reading!!

Happy Capturing ~

Author: Karthikeyan Nagaraj

ctf , forensics , wireshark , capture the flag , challenge , writeup , flag , karthikeyan nagaraj , cyberw1ng

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!