RSS

Leetmore CTF 2012: Packets 100 (Epic Arc Pt. 1)

0 Comments | This entry was posted on Oct 18 2012

We were given a Wireshark capture file and the following instructions:

Epic Arc

----------

Mister You is willing to hire someone who can repeat his investigation.
Arc starts from here

Part 1. Find the secret link in this conversation

Part 2. What's the md5 of the file being transferred?

Part 3. Find and solve it. It's up to you

We loaded the file in Wireshark and converted it to libpcap format. Then again loaded the converted capture file in Network Miner.

Switching over to “Messages” tab lists down four messages out of those, the second one was obviously the key.

Epic Arc 100

Solution: http://tinyurl.com/8pdox5a

Leetmore CTF 2012: Packets 200 (Epic Arc Pt. 2)

0 Comments | This entry was posted on Oct 18 2012

From the URL we extracted in the Part – I of the challenge, we got a second Wireshark capture log. The task was again to provide MD5 hash of the file being transferred.

Opening in Wireshark, we found that it was a FTP transfer log.

Epic Arc 200

Right clicking on the highlighted entry and selecting “Follow TCP Stream” extracts the entire data transfer. As, FTP protocol opens a new TCP connection as soon as the file transfer begins and closes the TCP connection as soon as the file transfer ends, capturing the TCP session ensures that ONLY the file bytes are taken out, nothing else, nothing else.


Epic Arc 2002

We saved the raw bytes thus extracted in a file, the MD5 of which was our flag for this challenge.

Solution: 77F92EDB199815B17E2FF8DA36E200DF