How to solve my PCAP CTF challenges

For the past three years, I have been a volunteer for our Cybersecurity Festival event during Cybersecurity Awareness Month. In my first year, I volunteered to create a few purposely-built vulnerable machines for the Red versus Blue team event. Last year, I volunteered for two events. The first was the Capture The Flag (CTF), and the second was the Offense for Defense event. This year, our Information Security Office team asked me to come back to be part of a talented team to create CTF challenges. In this post, I will cover how to solve PCAP CTF challenges that I created.

Creation of the challenges

It took me a while to determine what challenges I wanted to incorporate this year. Two things for sure that I wanted to do, and that was to create easier ones and at least one difficult CTF challenge. In total, I created four packet capture challenges.

I searched the Internet for inspiration as to what traffic I needed to generate for my packet capture files. I came across a CTF challenge that involved Internet Control Message Protocol (ICMP) and decided to go with that on some of the challenges. From there, I decided to stick with cipher challenges. Though, I did add a Base64 decoding challenge as the easiest one.

While I could have used Scapy to craft traffic, which I slightly covered in this post, I decided to use nping since it is a bit easier and quicker. On top of the ICMP, I also used other protocols to embed files in the packet capture that players would have to save.

First challenge – packet1.pcap

Note:

If you want to solve the CTF challenges, then download the files here.

The first PCAP challenge is quite easy for someone familiar with Base64 and analyzing packet capture. For someone unfamiliar with analyzing packet captures, it may take a while. I witnessed it in this event that some folks did not solve it in a short period. It is by no means taking a shot at them since our CTF players are a mixture of different backgrounds, skills, and knowledge levels.

Without further delay, this is how I would approach this first PCAP challenge. First, I would check what kind of traffic is present in the file, as shown below.

andrew@kali:~$ tshark -nr packet1.pcap

andrew@kali:~$ tshark -nr packet1.pcap
    1   0.000000 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=1/256, ttl=63
    2   0.000020 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=1/256, ttl=64 (request in 1)
    3   1.000980 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=2/512, ttl=63
    4   1.001003 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=2/512, ttl=64 (request in 3)
    5   2.002054 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=3/768, ttl=63
    6   2.002072 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=3/768, ttl=64 (request in 5)
    7   3.002716 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=4/1024, ttl=63
    8   3.002735 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=4/1024, ttl=64 (request in 7)
    9   4.004104 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=5/1280, ttl=63
   10   4.004124 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=5/1280, ttl=64 (request in 9)
   11   5.005306 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=6/1536, ttl=63
   12   5.005324 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=6/1536, ttl=64 (request in 11)
   13   6.007027 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=7/1792, ttl=63
   14   6.007046 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=7/1792, ttl=64 (request in 13)
   15   7.008436 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=8/2048, ttl=63
   16   7.008455 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=8/2048, ttl=64 (request in 15)
   17   8.009561 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=9/2304, ttl=63
   18   8.009580 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=9/2304, ttl=64 (request in 17)
   19   9.010939 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=10/2560, ttl=63
   20   9.010955 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=10/2560, ttl=64 (request in 19)
   21  10.012564 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=11/2816, ttl=63
   22  10.012579 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=11/2816, ttl=64 (request in 21)
   23  11.014447 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=12/3072, ttl=63
   24  11.014466 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=12/3072, ttl=64 (request in 23)
   25  12.016107 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=13/3328, ttl=63
   26  12.016124 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=13/3328, ttl=64 (request in 25)
   27  13.017863 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=14/3584, ttl=63
   28  13.017885 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=14/3584, ttl=64 (request in 27)
   29  14.019271 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=15/3840, ttl=63
   30  14.019288 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=15/3840, ttl=64 (request in 29)
   31  15.020536 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=16/4096, ttl=63
   32  15.020554 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=16/4096, ttl=64 (request in 31)
   33  16.022411 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=17/4352, ttl=63
   34  16.022431 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=17/4352, ttl=64 (request in 33)
   35  17.023677 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=18/4608, ttl=63
   36  17.023696 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=18/4608, ttl=64 (request in 35)
   37  17.313236 172.24.20.31 → 171.64.20.62 ICMP 70 Echo (ping) reply    id=0x0001, seq=0/0, ttl=63
   38  18.025681 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=19/4864, ttl=63
   39  18.025699 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=19/4864, ttl=64 (request in 38)
   40  19.026884 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0x7a93, seq=20/5120, ttl=63
   41  19.026905 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0x7a93, seq=20/5120, ttl=64 (request in 40)

As you will notice, all of the packets are ICMP. Since the packet sizes are low, we could probably eliminate ICMP tunneling. That said, the data is most likely just an ASCII text. When dealing with text, you can use the strings command.

andrew@kali:~$ strings packet1.pcap

andrew@kali:~$ strings packet1.pcap
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
U1VDVEYyMDIze2FpX2lzX2Nvb2x9
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567
)XOn
 !"#$%&'()*+,-./01234567

If the PCAP file had a lot of repeated traffic, I would filter to lessen the output, as shown below.

andrew@kali:~$ strings -n 10 packet1.pcap | grep -v 1234
U1VDVEYyMDIze2FpX2lzX2Nvb2x9

If I am unfamiliar with Base32 or Base64, I would likely use ChatGPT or similar to identify this string since the Cyberfest’s theme is artificial intelligence. As you can see in the screenshot below, ChatGPT recognized the encoding and also decoded it for me.

As someone familiar with Base64, I would use the command line to decode it quickly.

andrew@kali:~$ strings -n 10 packet1.pcap | grep -v 1234 | base64 -d
SUCTF2023{ai_is_cool}

Flag

SUCTF2023{ai_is_cool}

Second challenge – packet2.pcap

I rated the second challenge as moderate difficulty. Though, some folks may think it is still pretty easy. For this second challenge, I mixed it with ICMP, TCP using Netcat, and FTP traffic. A few folks took a while to find the FTP traffic, so it delayed their progress. Had they used the strings command, they would have found it quicker.

Let us pretend that we do not know the contents of the traffic yet and inspect the traffic.

andrew@kali:~$ tshark -nr packet2.pcap

andrew@kali:~$ tshark -nr packet2.pcap
    1   0.000000 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=1/256, ttl=63
    2   0.000020 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=1/256, ttl=64 (request in 1)
    3   1.001961 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=2/512, ttl=63
    4   1.001979 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=2/512, ttl=64 (request in 3)
    5   2.003244 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=3/768, ttl=63
    6   2.003257 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=3/768, ttl=64 (request in 5)
    7   3.003351 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=4/1024, ttl=63
    8   3.003370 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=4/1024, ttl=64 (request in 7)
    9   4.004365 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=5/1280, ttl=63
   10   4.004390 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=5/1280, ttl=64 (request in 9)
   11   5.006097 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=6/1536, ttl=63
   12   5.006117 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=6/1536, ttl=64 (request in 11)
   13   6.007736 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=7/1792, ttl=63
   14   6.007756 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=7/1792, ttl=64 (request in 13)
   15   6.933722 172.24.20.31 → 171.64.20.62 TCP 74 59752 → 4444 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2741268107 TSecr=0 WS=128
   16   6.933749 171.64.20.62 → 172.24.20.31 TCP 74 4444 → 59752 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=3516162405 TSecr=2741268107 WS=128
   17   6.934794 172.24.20.31 → 171.64.20.62 TCP 66 59752 → 4444 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2741268109 TSecr=3516162405
   18   7.009493 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=8/2048, ttl=63
   19   7.009503 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=8/2048, ttl=64 (request in 18)
   20   8.010998 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc890, seq=9/2304, ttl=63
   21   8.011015 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc890, seq=9/2304, ttl=64 (request in 20)
   22   8.614238 172.24.20.31 → 171.64.20.62 TCP 72 59752 → 4444 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=6 TSval=2741269788 TSecr=3516162405
   23   8.614259 171.64.20.62 → 172.24.20.31 TCP 66 4444 → 59752 [ACK] Seq=1 Ack=7 Win=65280 Len=0 TSval=3516164085 TSecr=2741269788
<-- Output omitted for brevity -->

Looking at the output, we can see ICMP traffic again and some TCP and FTP traffic. It is probably safe to ignore the ICMP traffic again since the byte size is the same as the previous one. Since FTP is a cleartext protocol, as mentioned earlier, we can run the strings command.

andrew@kali:~$ strings packet2.pcap | grep -v ‘XOn\|1234’

andrew@kali:~$ strings packet2.pcap | grep -v 'XOn\|1234'
aeHello
How are you?
udAre you a robot?
ec`220 FTP Server Ready
V9USER anonymous
ecb331 User name okay, need password...
V:PASS
230 Login OK
215 UNIX Type: L8
500 'FEAT ': command not understood.
TYPE I
200 Type is set
`SIZE global_thermonuclear_war.gamerules.txt
213 29
aEPSV
500 'EPSV ': command not understood.
bPASV
227 Entering Passive Mode (171,64,20,62,147,65)
dRETR global_thermonuclear_war.gamerules.txt
150 Opening BINARY mode data connection for global_thermonuclear_war.gamerules.txt
https://tinyurl.com/yr5zprz4
226 Transfer complete.
MDTM global_thermonuclear_war.gamerules.txt
213 20230924192313
221 Logout
Did you ever play tic-tac-toe?
WYeah. Of course.
But you don't play anymore?
IWhy?
Because it's a boring game. It's always a tie.
Exactly. There's no way to win.
The game itself is pointless.

If we read the output, we can see a successful file transfer called global_thermonuclear_war.gamerules.txt. The text file has a link that we can try to visit. If we visit that, it’s a Google doc with a filename called Club Tux. This file has images with some bizarre symbols.

Typically, CTF challenge authors leave some hints for folks to figure out. In this case, I left two of them. One is the tic-tac-toe line in the supposed chat conversation and the filename. Tux is a penguin, so if you search for Club Penguin’s secret code, you will see it is a Tic-Tac-Toe cipher.

If we use this site and copy and paste the images to it, then it will decipher it and give us EX MACHINA AVA.

Flag

SUCTF2023{EX MACHINA AVA}

Third challenge – packet3.pcap

I rated this third challenge as hard. It requires some out-of-the-box thinking and familiarity with ciphers. In this challenge, I sent a crafted ICMP packet and HTTP-related packets. Essentially, the crafted ICMP packet contains the ciphertext, and the HTTP traffic includes the necessary files to help with solving the challenge. Unfortunately, none of the CTF participants were able to solve this.

Now, let us put our CTF participant hat back on and skim through the packets in the file.

andrew@kali:~$ tshark -nr packet3.pcap

andrew@kali:~$ tshark -nr packet3.pcap
    1   0.000000 172.24.20.31 → 171.64.20.62 ICMP 78 Echo (ping) reply    id=0x0001, seq=0/0, ttl=63
    2   3.677930 172.24.20.31 → 171.64.20.62 TCP 74 57494 → 8000 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=371041141 TSecr=0 WS=128
    3   3.677951 171.64.20.62 → 172.24.20.31 TCP 74 8000 → 57494 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1145935440 TSecr=371041141 WS=128
    4   3.678783 172.24.20.31 → 171.64.20.62 TCP 66 57494 → 8000 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=371041142 TSecr=1145935440
    5   3.679480 172.24.20.31 → 171.64.20.62 HTTP 415 GET / HTTP/1.1
    6   3.679490 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57494 [ACK] Seq=1 Ack=350 Win=64896 Len=0 TSval=1145935442 TSecr=371041142
    7   3.680409 171.64.20.62 → 172.24.20.31 TCP 221 HTTP/1.0 200 OK  [TCP segment of a reassembled PDU]
    8   3.680472 171.64.20.62 → 172.24.20.31 HTTP 296 HTTP/1.0 200 OK  (text/html)
    9   3.681413 172.24.20.31 → 171.64.20.62 TCP 66 57494 → 8000 [ACK] Seq=350 Ack=156 Win=64128 Len=0 TSval=371041145 TSecr=1145935443
   10   3.681670 172.24.20.31 → 171.64.20.62 TCP 66 57494 → 8000 [FIN, ACK] Seq=350 Ack=387 Win=64128 Len=0 TSval=371041145 TSecr=1145935443
   11   3.681678 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57494 [ACK] Seq=387 Ack=351 Win=64896 Len=0 TSval=1145935444 TSecr=371041145
   12   5.377278 172.24.20.31 → 171.64.20.62 TCP 74 57502 → 8000 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=371042840 TSecr=0 WS=128
   13   5.377299 171.64.20.62 → 172.24.20.31 TCP 74 8000 → 57502 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1145937140 TSecr=371042840 WS=128
   14   5.378389 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=371042841 TSecr=1145937140
   15   5.401363 172.24.20.31 → 171.64.20.62 HTTP 460 GET /suctf2023 HTTP/1.1
   16   5.401385 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57502 [ACK] Seq=1 Ack=395 Win=64768 Len=0 TSval=1145937164 TSecr=371042864
   17   5.404570 171.64.20.62 → 172.24.20.31 TCP 270 HTTP/1.0 200 OK  [TCP segment of a reassembled PDU]
   18   5.404638 171.64.20.62 → 172.24.20.31 TCP 7306 8000 → 57502 [PSH, ACK] Seq=205 Ack=395 Win=64768 Len=7240 TSval=1145937167 TSecr=371042864 [TCP segment of a reassembled PDU]
   19   5.404651 171.64.20.62 → 172.24.20.31 TCP 5858 8000 → 57502 [PSH, ACK] Seq=7445 Ack=395 Win=64768 Len=5792 TSval=1145937167 TSecr=371042864 [TCP segment of a reassembled PDU]
   20   5.405265 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=205 Win=64128 Len=0 TSval=371042869 TSecr=1145937167
   21   5.405271 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=4549 Win=61312 Len=0 TSval=371042869 TSecr=1145937167
   22   5.405278 171.64.20.62 → 172.24.20.31 TCP 10202 8000 → 57502 [PSH, ACK] Seq=13237 Ack=395 Win=64768 Len=10136 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   23   5.405336 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=8893 Win=62464 Len=0 TSval=371042869 TSecr=1145937167
   24   5.405341 171.64.20.62 → 172.24.20.31 TCP 10202 8000 → 57502 [PSH, ACK] Seq=23373 Ack=395 Win=64768 Len=10136 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   25   5.405345 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=13237 Win=62464 Len=0 TSval=371042869 TSecr=1145937167
   26   5.405350 171.64.20.62 → 172.24.20.31 TCP 8754 8000 → 57502 [PSH, ACK] Seq=33509 Ack=395 Win=64768 Len=8688 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   27   5.405777 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=19029 Win=60416 Len=0 TSval=371042869 TSecr=1145937168
   28   5.405779 171.64.20.62 → 172.24.20.31 TCP 2962 8000 → 57502 [PSH, ACK] Seq=42197 Ack=395 Win=64768 Len=2896 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   29   5.405803 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=23373 Win=57216 Len=0 TSval=371042869 TSecr=1145937168
   30   5.405808 171.64.20.62 → 172.24.20.31 TCP 17442 8000 → 57502 [PSH, ACK] Seq=45093 Ack=395 Win=64768 Len=17376 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   31   5.405951 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=29165 Win=75776 Len=0 TSval=371042869 TSecr=1145937168
   32   5.405978 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=36405 Win=90240 Len=0 TSval=371042869 TSecr=1145937168
   33   5.405984 171.64.20.62 → 172.24.20.31 TCP 14546 8000 → 57502 [PSH, ACK] Seq=62469 Ack=395 Win=64768 Len=14480 TSval=1145937169 TSecr=371042869 [TCP segment of a reassembled PDU]
   34   5.405989 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=42197 Win=96384 Len=0 TSval=371042869 TSecr=1145937168
   35   5.405994 171.64.20.62 → 172.24.20.31 TCP 23234 8000 → 57502 [PSH, ACK] Seq=76949 Ack=395 Win=64768 Len=23168 TSval=1145937169 TSecr=371042869 [TCP segment of a reassembled PDU]
   36   5.406506 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=47989 Win=96384 Len=0 TSval=371042870 TSecr=1145937168
   37   5.406510 171.64.20.62 → 172.24.20.31 TCP 8754 8000 → 57502 [PSH, ACK] Seq=100117 Ack=395 Win=64768 Len=8688 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   38   5.406515 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=61021 Win=89088 Len=0 TSval=371042870 TSecr=1145937168
   39   5.406520 171.64.20.62 → 172.24.20.31 TCP 29026 8000 → 57502 [PSH, ACK] Seq=108805 Ack=395 Win=64768 Len=28960 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   40   5.406524 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=75501 Win=82944 Len=0 TSval=371042870 TSecr=1145937169
   41   5.406528 171.64.20.62 → 172.24.20.31 TCP 2962 8000 → 57502 [PSH, ACK] Seq=137765 Ack=395 Win=64768 Len=2896 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   42   5.406529 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=88533 Win=70016 Len=0 TSval=371042870 TSecr=1145937169
   43   5.406531 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=100117 Win=58496 Len=0 TSval=371042870 TSecr=1145937169
   44   5.406535 171.64.20.62 → 172.24.20.31 TCP 18018 [TCP Window Full] 8000 → 57502 [PSH, ACK] Seq=140661 Ack=395 Win=64768 Len=17952 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   45   5.407252 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=105909 Win=96384 Len=0 TSval=371042871 TSecr=1145937169
   46   5.407257 171.64.20.62 → 172.24.20.31 TCP 11650 8000 → 57502 [PSH, ACK] Seq=158613 Ack=395 Win=64768 Len=11584 TSval=1145937170 TSecr=371042871 [TCP segment of a reassembled PDU]
   47   5.407261 171.64.20.62 → 172.24.20.31 HTTP 288 HTTP/1.0 200 OK
   48   5.407263 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=118941 Win=89088 Len=0 TSval=371042871 TSecr=1145937169
   49   5.407265 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=123285 Win=104960 Len=0 TSval=371042871 TSecr=1145937169
   50   5.407266 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=131973 Win=122368 Len=0 TSval=371042871 TSecr=1145937169
   51   5.407471 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=140661 Win=139776 Len=0 TSval=371042871 TSecr=1145937169
   52   5.407473 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=146453 Win=151296 Len=0 TSval=371042871 TSecr=1145937169
   53   5.407474 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=155141 Win=168704 Len=0 TSval=371042871 TSecr=1145937169
   54   5.407475 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=156589 Win=171648 Len=0 TSval=371042871 TSecr=1145937169
   55   5.407502 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=158613 Win=175616 Len=0 TSval=371042871 TSecr=1145937169
   56   5.408234 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=164405 Win=187264 Len=0 TSval=371042871 TSecr=1145937170
   57   5.408236 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=170197 Win=198784 Len=0 TSval=371042871 TSecr=1145937170
   58   5.409034 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [FIN, ACK] Seq=395 Ack=170420 Win=201728 Len=0 TSval=371042872 TSecr=1145937170
   59   5.409040 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57502 [ACK] Seq=170420 Ack=396 Win=64768 Len=0 TSval=1145937172 TSecr=371042872

As you may have noticed, there is an ICMP packet there that has a different packet size than the regular ping-based ICMP traffic from earlier PCAP files. Let us inspect that to see if there is helpful data in there.

andrew@kali:~$ tshark -nr packet3.pcap -Y icmp -T fields -e data.text -o data.show_as_text:True
TJDGW2023{jiu_dntijcf_net_tqdnijupo}

The data contains a string that is similar to the flag format. However, the string is encrypted, and we must decrypt it. Since there are more packets to inspect, we will go back to the ciphertext later.

Since we saw that there was TCP traffic there, let us see how many TCP streams are in there.

andrew@kali:~$ $ tshark -nr packet3.pcap -T fields -e tcp.stream | sort -u
0
1

Okay, it looks like there are two TCP streams here. Let us inspect the first stream and see what kind of traffic that is.

andrew@kali:~$ tshark -nr packet3.pcap -qz follow,http,ascii,0

andrew@kali:~$ tshark -nr packet3.pcap -qz follow,http,ascii,0
===================================================================
Follow: http,ascii
Filter: tcp.stream eq 0
Node 0: 172.24.20.31:57494
Node 1: 171.64.20.62:8000
349
GET / HTTP/1.1
Host: 171.64.20.62:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

	155
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.11.2
Date: Mon, 28 Aug 2023 15:58:07 GMT
Content-type: text/html; charset=utf-8
Content-Length: 230

	230
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for /
</head>
<body>
<h1>Directory listing for /
<hr>
<ul>
<li>suctf2023
</ul>
<hr>
</body>
</html>
===================================================================

The first TCP stream was the traffic when the client visited the web server. This TCP stream does not help solve the challenge, so let us look at the second TCP stream.

andrew@kali:~$ tshark -nr packet3.pcap -qz follow,http,ascii,1

andrew@kali:~$ tshark -nr packet3.pcap -qz follow,http,ascii,1
===================================================================
Follow: http,ascii
Filter: tcp.stream eq 1
Node 0: 172.24.20.31:57502
Node 1: 171.64.20.62:8000
394
GET /suctf2023 HTTP/1.1
Host: 171.64.20.62:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://171.64.20.62:8000/
Upgrade-Insecure-Requests: 1

	204
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.11.2
Date: Mon, 28 Aug 2023 15:58:08 GMT
Content-type: application/octet-stream
Content-Length: 170214
Last-Modified: Mon, 28 Aug 2023 15:49:12 GMT

	170214
<-- Output omitted for brevity -->
./....... .......suctf1.png
. ..........<........S......A............AE...PK..?.3...c....W....%Z..3]..../....... ...I'..suctf10.png
. ..........5..i....N.......A............AE...PK..?.3...c.H..W.....4...6..../....... .......suctf11.png
. ..........-..j....N.......A............AE...PK..?.3...c.l..W.....F...J..../....... .......suctf12.png
. ..........'.-j....N.......A............AE...PK..?.3...c....W.....*......
./....... .......suctf2.png
. ..........._.......S......A............AE...PK..?.3...c.3..W.....F...I..
./....... ....'..suctf3.png
. ..........v..g.....S......A............AE...PK..?.3...c.\..W....&...l...
./....... ....o..suctf4.png
. .............g....N.......A............AE...PK..?.3...c....W....\.......
./....... ...Y...suctf5.png
. ..........:..h....N.......A............AE...PK..?.3...c....W.....j...n..
./....... .......suctf6.png
. ..........R.Bh....N.......A............AE...PK..?.3...c....W.....$..H)..
./....... .......suctf7.png
. .............h....N.......A............AE...PK..?.3...c....W.....K...O..
./....... ....0..suctf8.png
. ...........0)i....N.......A............AE...PK..?.3...c....W............
./....... ....|..suctf9.png
. ..........4.oi....N.......A............AE...PK....................
===================================================================

From the looks of it, the client downloaded the file called suctf2023. Since there is only one file, and the output mentioned something about PNG files, it is not unreasonable to think it is some sort of archive file. We will be able to inspect it further once we download the file.

andrew@kali:~$ tshark -nr packet3.pcap --export-objects http,suctf2023

andrew@kali:~$ tshark -nr packet3.pcap --export-objects http,suctf2023
    1   0.000000 172.24.20.31 → 171.64.20.62 ICMP 78 Echo (ping) reply    id=0x0001, seq=0/0, ttl=63
    2   3.677930 172.24.20.31 → 171.64.20.62 TCP 74 57494 → 8000 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=371041141 TSecr=0 WS=128
    3   3.677951 171.64.20.62 → 172.24.20.31 TCP 74 8000 → 57494 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1145935440 TSecr=371041141 WS=128
    4   3.678783 172.24.20.31 → 171.64.20.62 TCP 66 57494 → 8000 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=371041142 TSecr=1145935440
    5   3.679480 172.24.20.31 → 171.64.20.62 HTTP 415 GET / HTTP/1.1
    6   3.679490 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57494 [ACK] Seq=1 Ack=350 Win=64896 Len=0 TSval=1145935442 TSecr=371041142
    7   3.680409 171.64.20.62 → 172.24.20.31 TCP 221 HTTP/1.0 200 OK  [TCP segment of a reassembled PDU]
    8   3.680472 171.64.20.62 → 172.24.20.31 HTTP 296 HTTP/1.0 200 OK  (text/html)
    9   3.681413 172.24.20.31 → 171.64.20.62 TCP 66 57494 → 8000 [ACK] Seq=350 Ack=156 Win=64128 Len=0 TSval=371041145 TSecr=1145935443
   10   3.681670 172.24.20.31 → 171.64.20.62 TCP 66 57494 → 8000 [FIN, ACK] Seq=350 Ack=387 Win=64128 Len=0 TSval=371041145 TSecr=1145935443
   11   3.681678 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57494 [ACK] Seq=387 Ack=351 Win=64896 Len=0 TSval=1145935444 TSecr=371041145
   12   5.377278 172.24.20.31 → 171.64.20.62 TCP 74 57502 → 8000 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=371042840 TSecr=0 WS=128
   13   5.377299 171.64.20.62 → 172.24.20.31 TCP 74 8000 → 57502 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1145937140 TSecr=371042840 WS=128
   14   5.378389 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=371042841 TSecr=1145937140
   15   5.401363 172.24.20.31 → 171.64.20.62 HTTP 460 GET /suctf2023 HTTP/1.1
   16   5.401385 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57502 [ACK] Seq=1 Ack=395 Win=64768 Len=0 TSval=1145937164 TSecr=371042864
   17   5.404570 171.64.20.62 → 172.24.20.31 TCP 270 HTTP/1.0 200 OK  [TCP segment of a reassembled PDU]
   18   5.404638 171.64.20.62 → 172.24.20.31 TCP 7306 8000 → 57502 [PSH, ACK] Seq=205 Ack=395 Win=64768 Len=7240 TSval=1145937167 TSecr=371042864 [TCP segment of a reassembled PDU]
   19   5.404651 171.64.20.62 → 172.24.20.31 TCP 5858 8000 → 57502 [PSH, ACK] Seq=7445 Ack=395 Win=64768 Len=5792 TSval=1145937167 TSecr=371042864 [TCP segment of a reassembled PDU]
   20   5.405265 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=205 Win=64128 Len=0 TSval=371042869 TSecr=1145937167
   21   5.405271 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=4549 Win=61312 Len=0 TSval=371042869 TSecr=1145937167
   22   5.405278 171.64.20.62 → 172.24.20.31 TCP 10202 8000 → 57502 [PSH, ACK] Seq=13237 Ack=395 Win=64768 Len=10136 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   23   5.405336 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=8893 Win=62464 Len=0 TSval=371042869 TSecr=1145937167
   24   5.405341 171.64.20.62 → 172.24.20.31 TCP 10202 8000 → 57502 [PSH, ACK] Seq=23373 Ack=395 Win=64768 Len=10136 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   25   5.405345 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=13237 Win=62464 Len=0 TSval=371042869 TSecr=1145937167
   26   5.405350 171.64.20.62 → 172.24.20.31 TCP 8754 8000 → 57502 [PSH, ACK] Seq=33509 Ack=395 Win=64768 Len=8688 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   27   5.405777 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=19029 Win=60416 Len=0 TSval=371042869 TSecr=1145937168
   28   5.405779 171.64.20.62 → 172.24.20.31 TCP 2962 8000 → 57502 [PSH, ACK] Seq=42197 Ack=395 Win=64768 Len=2896 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   29   5.405803 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=23373 Win=57216 Len=0 TSval=371042869 TSecr=1145937168
   30   5.405808 171.64.20.62 → 172.24.20.31 TCP 17442 8000 → 57502 [PSH, ACK] Seq=45093 Ack=395 Win=64768 Len=17376 TSval=1145937168 TSecr=371042869 [TCP segment of a reassembled PDU]
   31   5.405951 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=29165 Win=75776 Len=0 TSval=371042869 TSecr=1145937168
   32   5.405978 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=36405 Win=90240 Len=0 TSval=371042869 TSecr=1145937168
   33   5.405984 171.64.20.62 → 172.24.20.31 TCP 14546 8000 → 57502 [PSH, ACK] Seq=62469 Ack=395 Win=64768 Len=14480 TSval=1145937169 TSecr=371042869 [TCP segment of a reassembled PDU]
   34   5.405989 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=42197 Win=96384 Len=0 TSval=371042869 TSecr=1145937168
   35   5.405994 171.64.20.62 → 172.24.20.31 TCP 23234 8000 → 57502 [PSH, ACK] Seq=76949 Ack=395 Win=64768 Len=23168 TSval=1145937169 TSecr=371042869 [TCP segment of a reassembled PDU]
   36   5.406506 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=47989 Win=96384 Len=0 TSval=371042870 TSecr=1145937168
   37   5.406510 171.64.20.62 → 172.24.20.31 TCP 8754 8000 → 57502 [PSH, ACK] Seq=100117 Ack=395 Win=64768 Len=8688 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   38   5.406515 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=61021 Win=89088 Len=0 TSval=371042870 TSecr=1145937168
   39   5.406520 171.64.20.62 → 172.24.20.31 TCP 29026 8000 → 57502 [PSH, ACK] Seq=108805 Ack=395 Win=64768 Len=28960 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   40   5.406524 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=75501 Win=82944 Len=0 TSval=371042870 TSecr=1145937169
   41   5.406528 171.64.20.62 → 172.24.20.31 TCP 2962 8000 → 57502 [PSH, ACK] Seq=137765 Ack=395 Win=64768 Len=2896 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   42   5.406529 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=88533 Win=70016 Len=0 TSval=371042870 TSecr=1145937169
   43   5.406531 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=100117 Win=58496 Len=0 TSval=371042870 TSecr=1145937169
   44   5.406535 171.64.20.62 → 172.24.20.31 TCP 18018 [TCP Window Full] 8000 → 57502 [PSH, ACK] Seq=140661 Ack=395 Win=64768 Len=17952 TSval=1145937169 TSecr=371042870 [TCP segment of a reassembled PDU]
   45   5.407252 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=105909 Win=96384 Len=0 TSval=371042871 TSecr=1145937169
   46   5.407257 171.64.20.62 → 172.24.20.31 TCP 11650 8000 → 57502 [PSH, ACK] Seq=158613 Ack=395 Win=64768 Len=11584 TSval=1145937170 TSecr=371042871 [TCP segment of a reassembled PDU]
   47   5.407261 171.64.20.62 → 172.24.20.31 HTTP 288 HTTP/1.0 200 OK
   48   5.407263 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=118941 Win=89088 Len=0 TSval=371042871 TSecr=1145937169
   49   5.407265 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=123285 Win=104960 Len=0 TSval=371042871 TSecr=1145937169
   50   5.407266 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=131973 Win=122368 Len=0 TSval=371042871 TSecr=1145937169
   51   5.407471 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=140661 Win=139776 Len=0 TSval=371042871 TSecr=1145937169
   52   5.407473 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=146453 Win=151296 Len=0 TSval=371042871 TSecr=1145937169
   53   5.407474 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=155141 Win=168704 Len=0 TSval=371042871 TSecr=1145937169
   54   5.407475 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=156589 Win=171648 Len=0 TSval=371042871 TSecr=1145937169
   55   5.407502 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=158613 Win=175616 Len=0 TSval=371042871 TSecr=1145937169
   56   5.408234 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=164405 Win=187264 Len=0 TSval=371042871 TSecr=1145937170
   57   5.408236 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [ACK] Seq=395 Ack=170197 Win=198784 Len=0 TSval=371042871 TSecr=1145937170
   58   5.409034 172.24.20.31 → 171.64.20.62 TCP 66 57502 → 8000 [FIN, ACK] Seq=395 Ack=170420 Win=201728 Len=0 TSval=371042872 TSecr=1145937170
   59   5.409040 171.64.20.62 → 172.24.20.31 TCP 66 8000 → 57502 [ACK] Seq=170420 Ack=396 Win=64768 Len=0 TSval=1145937172 TSecr=371042872

The output looks like it did not do anything, but this created a directory in your working directory and put the extracted files from the PCAP.

andrew@kali:~$ ls -l suctf2023
total 172
-rw-r--r-- 1 andrew andrew    230 Oct 27 08:38 %2f
-rw-r--r-- 1 andrew andrew 170214 Oct 27 08:38 suctf2023

Since the name of the downloaded file is suctf2023, let us inspect the file to confirm its file type.

andrew@kali:~$ file suctf2023/suctf2023
suctf2023/suctf2023: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted

It definitely confirms that it is a ZIP file, and it looks like it is encrypted. Of course it is. After all, it is a CTF, and decrypting the file is part of the challenge.

Do you find this content useful? If so, consider buying me a coffee! ☕

My favorite tool for cracking the password for ZIP files is John the Ripper (JtR). However, before we use the john command, we must get the hash that JtR can understand. For this, we. will use zip2john command.

andrew@kali:suctf2023$ zip2john suctf2023 > suctf2023.hash

andrew@kali:suctf2023$ cat suctf2023.hash
suctf2023/suctf1.png:$zip2$*0*1*0*0d85ebb36b4dc5f0*c7da*2702*1ec0d086203d2f00f60886e1dad722c0f5dd8f8b7988cadfa3109c4927680132741feef0b3c18470e8992d71769bb6b544485fa170d480bd5101d4df9a28a7fd063ce56d7c3fbb3e5ab7a24c708ddebf73f13cbcf853b29f08d77521177ca00001f9da6debaa802c9b6cfcb0e8000cd029fa4cfd2fc684f8c71ec6fc622497f31a6f733d015b847dc08bafa474d0ceddd41e211b92efd093f9c74cadfe2d02b31c658edb5b4a766ba184c18c1c329399f0ce3e0654255b478c692c91c03a9e4b73d319e028b40633f
<-- Output omitted for brevity -->

Once we have the hash, we can now use JtR to crack the password. I think the CTF participants thought they would need to brute force it. While it is a valid approach, the CTF only runs for 48 hours. The better methodology is to perform a dictionary attack. Do the faster one first before pivoting to the brute force method.

andrew@kali:~$ time john --wordlist=/usr/share/wordlists/rockyou.txt suctf2023.hash

andrew@kali:~$ time john --wordlist=/usr/share/wordlists/rockyou.txt suctf2023.hash
Using default input encoding: UTF-8
Loaded 12 password hashes with 12 different salts (ZIP, WinZip [PBKDF2-SHA1 512/512 AVX512BW 16x])
Loaded hashes with cost 1 (HMAC size) varying from 5883 to 27318
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sraskilord       (suctf2023/suctf7.png)
sraskilord       (suctf2023/suctf5.png)
sraskilord       (suctf2023/suctf10.png)
sraskilord       (suctf2023/suctf2.png)
sraskilord       (suctf2023/suctf11.png)
sraskilord       (suctf2023/suctf6.png)
sraskilord       (suctf2023/suctf3.png)
sraskilord       (suctf2023/suctf4.png)
sraskilord       (suctf2023/suctf12.png)
sraskilord       (suctf2023/suctf8.png)
sraskilord       (suctf2023/suctf9.png)
sraskilord       (suctf2023/suctf1.png)
12g 0:00:08:27 DONE (2023-10-28 19:29) 0.02365g/s 7057p/s 84686c/s 84686C/s srgv123..sprn_07@yahoo.com
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
real	507.62s
user	999.92s
sys	0.16s
cpu	197%

Note

I added time in the syntax to show how long it took for the JtR to run.

Now that we have the password to unzip the file, we can now attempt to unzip it.

andrew@kali:~$ 7z x suctf2023

andrew@kali:~$ 7z x suctf2023
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Xeon(R) Gold 5318Y CPU @ 2.10GHz (606A6),ASM,AES-NI)
Scanning the drive for archives:
1 file, 170214 bytes (167 KiB)
Extracting archive: suctf2023
--
Path = suctf2023
Type = zip
Physical Size = 170214

Enter password (will not be echoed):
Everything is Ok
Files: 12
Size:       180146
Compressed: 170214

We have successfully unzipped the file. We can verify that by performing a directory listing.

andrew@kali:suctf2023$ ls -l
total 692
-rw-r--r-- 1 andrew andrew    230 Oct 27 08:38 %2f
-rw-r--r-- 1 andrew andrew  23859 Aug 27 21:40 suctf10.png
-rw-r--r-- 1 andrew andrew  14078 Aug 27 21:42 suctf11.png
-rw-r--r-- 1 andrew andrew  19169 Aug 27 21:43 suctf12.png
-rw-r--r-- 1 andrew andrew  11051 Aug 26 23:42 suctf1.png
-rw-r--r-- 1 andrew andrew 170214 Oct 27 08:38 suctf2023
-rw-r--r-- 1 andrew andrew 337666 Oct 27 08:56 suctf2023.hash
-rw-r--r-- 1 andrew andrew  11934 Aug 26 23:44 suctf2.png
-rw-r--r-- 1 andrew andrew  18866 Aug 27 21:25 suctf3.png
-rw-r--r-- 1 andrew andrew   7532 Aug 27 21:26 suctf4.png
-rw-r--r-- 1 andrew andrew   7161 Aug 27 21:28 suctf5.png
-rw-r--r-- 1 andrew andrew  28404 Aug 27 21:29 suctf6.png
-rw-r--r-- 1 andrew andrew  10568 Aug 27 21:33 suctf7.png
-rw-r--r-- 1 andrew andrew  20457 Aug 27 21:36 suctf8.png
-rw-r--r-- 1 andrew andrew   7067 Aug 27 21:38 suctf9.png

The files are all chess puzzles. Since the challenge's title is mate in one, it is safe to assume you need one chess move to checkmate the opponent. The chess puzzles are mostly white's moves, but I sprinkled them with black's moves.

It is vital to know how to jot down chess moves since chess notation is part of the solution to this challenge. For your convenience, below contains the chess notations to solve the puzzles.

suctf1.png - Bd4
suctf2.png - Pg7
suctf3.png - Bf6
suctf4.png - Nb3
suctf5.png - Rb8
suctf6.png - Qh3
suctf7.png - Bb4
suctf8.png - Qe8
suctf9.png - Ra1
suctf10.png - Ne2
suctf11.png - Rh5
suctf12.png - Bd2

Now, this is the tricky bit. The cipher identifier tools that I tried were unsuccessful. That said, you must take hints, have a good understanding of ciphers, or randomly try different ciphers that do not deal with numbers and curly braces.

If the CTF player took hints, the cost is only 6 points in total. The last hint is notation d'échecs, which is French for chess notation. Blaise de Vigenère is a French cryptographer who created the cipher.

Essentially, the key is to take the first letter of the chess notations to decipher the ciphertext. CyberChef has a Vigenère recipe to decode the ciphertext.

Flag

SUCTF2023{the_machine_and_samaritan}

Last challenge - packet4.pcap

The last challenge is quite difficult to solve. There are no hints and no context to the challenge. I decided to include this because I thought it would be fun to incorporate an advanced challenge like I have seen in the past. Unfortunately, nobody solved this challenge as well. That said, when I get invited again for our next CTF event, I will try not to add these types of challenges.

In this challenge, I crafted several ICMP packets with different ICMP ID values and data. The ICMP ID and data go together to solve the challenge. I also embedded fake flags. I know it is not very nice of me.

Let us put our CTF participant hat back on and analyze the packet capture. First, let us look at the traffic in the PCAP file.

andrew@kali:~$ tshark -nr packet4.pcap

andrew@kali:~$ tshark -nr packet4.pcap
    1   0.000000 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=1/256, ttl=63
    2   0.000018 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=1/256, ttl=64 (request in 1)
    3   1.001103 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=2/512, ttl=63
    4   1.001122 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=2/512, ttl=64 (request in 3)
    5   2.002531 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=3/768, ttl=63
    6   2.002549 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=3/768, ttl=64 (request in 5)
    7   3.003974 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=4/1024, ttl=63
    8   3.003994 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=4/1024, ttl=64 (request in 7)
    9   4.005409 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=5/1280, ttl=63
   10   4.005427 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=5/1280, ttl=64 (request in 9)
   11   5.006650 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=6/1536, ttl=63
   12   5.006668 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=6/1536, ttl=64 (request in 11)
   13   6.007209 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=7/1792, ttl=63
   14   6.007227 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=7/1792, ttl=64 (request in 13)
   15   7.008616 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=8/2048, ttl=63
   16   7.008634 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=8/2048, ttl=64 (request in 15)
   17   8.010451 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=9/2304, ttl=63
   18   8.010468 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=9/2304, ttl=64 (request in 17)
   19   8.754579 172.24.20.31 → 171.64.20.62 ICMP 73 Echo (ping) reply    id=0x0001, seq=0/0, ttl=63
   20   9.011855 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=10/2560, ttl=63
   21   9.011873 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=10/2560, ttl=64 (request in 20)
   22  10.012479 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=11/2816, ttl=63
   23  10.012498 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=11/2816, ttl=64 (request in 22)
   24  11.014565 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=12/3072, ttl=63
   25  11.014580 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=12/3072, ttl=64 (request in 24)
   26  12.016340 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=13/3328, ttl=63
   27  12.016358 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=13/3328, ttl=64 (request in 26)
   28  13.018568 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=14/3584, ttl=63
   29  13.018587 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=14/3584, ttl=64 (request in 28)
   30  14.020288 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=15/3840, ttl=63
   31  14.020307 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=15/3840, ttl=64 (request in 30)
   32  15.021025 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=16/4096, ttl=63
   33  15.021043 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=16/4096, ttl=64 (request in 32)
   34  15.854308 172.24.20.31 → 171.64.20.62 ICMP 63 Echo (ping) reply    id=0x0009, seq=0/0, ttl=63
   35  16.022262 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=17/4352, ttl=63
   36  16.022280 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=17/4352, ttl=64 (request in 35)
   37  17.022704 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=18/4608, ttl=63
   38  17.022723 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=18/4608, ttl=64 (request in 37)
   39  18.024678 172.24.20.31 → 171.64.20.62 ICMP 98 Echo (ping) request  id=0xc9bc, seq=19/4864, ttl=63
   40  18.024697 171.64.20.62 → 172.24.20.31 ICMP 98 Echo (ping) reply    id=0xc9bc, seq=19/4864, ttl=64 (request in 39)
<-- Output omitted for brevity -->

It seems like we have unrelated ICMP traffic again. Let us filter it out to lessen the traffic we need to analyze.

andrew@kali:~$ tshark -nr packet4.pcap -Y '!icmp.ident eq 0xc9bc'

andrew@kali:~$ tshark -nr packet4.pcap -Y '!icmp.ident eq 0xc9bc'
   19   8.754579 172.24.20.31 → 171.64.20.62 ICMP 73 Echo (ping) reply    id=0x0001, seq=0/0, ttl=63
   34  15.854308 172.24.20.31 → 171.64.20.62 ICMP 63 Echo (ping) reply    id=0x0009, seq=0/0, ttl=63
   47  21.758290 172.24.20.31 → 171.64.20.62 ICMP 87 Echo (ping) reply    id=0x002f, seq=0/0, ttl=63
   70  32.722951 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x001b, seq=0/0, ttl=63
   85  39.718379 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x000f, seq=0/0, ttl=63
   96  44.402550 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0047, seq=0/0, ttl=63
  105  48.194462 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0013, seq=0/0, ttl=63
  118  54.382456 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0030, seq=0/0, ttl=63
  129  60.086374 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0022, seq=0/0, ttl=63
  144  66.110393 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0005, seq=0/0, ttl=63
  157  72.827244 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x003e, seq=0/0, ttl=63
  166  77.046547 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0058, seq=0/0, ttl=63
  179  82.322732 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x002c, seq=0/0, ttl=63
  192  88.514276 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x001c, seq=0/0, ttl=63
  203  94.034334 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x005c, seq=0/0, ttl=63
  216  99.702366 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0023, seq=0/0, ttl=63
  239 111.070290 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0017, seq=0/0, ttl=63
  290 135.354174 172.24.20.31 → 171.64.20.62 ICMP 60 Echo (ping) reply    id=0x0054, seq=0/0, ttl=63

Now that we have filtered out the unnecessary traffic, we can focus on the remaining packets. Two things jump out as I look at the output, and these are the byte size and ICMP ID. In the previous challenges, we noticed that the crafted ICMP messages had data in them. I would bet that this is the case here. That said, let us look at that and the ICMP ID value in decimal.

andrew@kali:~$ tshark -nr packet4.pcap -Y '!icmp.ident eq 0xc9bc' -T fields -e icmp.ident -e data.text -o data.show_as_text:TRUE

andrew@kali:~$ tshark -nr packet4.pcap -Y '!icmp.ident eq 0xc9bc' -T fields -e icmp.ident -e data.text -o data.show_as_text:TRUE
1	SUCTF2023{this_is_not_the_flag}
9	FHPGS2023{gel_uneqre}
47	8:(E7#GIJhaUa/BmQoZja!#Qen9FbeWCvpfaSlIU{xx})
27	8:(
15	E7#
71	GIJ
19	haU
48	a/B
34	mQo
5	Zja
62	!#Q
88	en9
44	Fbe
28	WCv
92	pfa
35	SlI
23	U{x
84	x})

In the output, we see one flag that matches the CTF's flag format and another flag in a ciphertext form. Since the CTF creators ranked this challenge as hard, I think it is safe to say that we do not even attempt to input the first flag.

In the second one, it seems too easy to try to guess the cipher used to encrypt the string, and you get the flag. That said, I highly doubt that it is the flag. We will confirm by using CyberChef. The recipe that we need here is ROT13. We will see that the plaintext is SUCTF2023{try_harder}. As suspected, it is not the flag.

Now, we have 16 lines to make sense of. In line number three, it has an ICMP ID of 47 and a string of random numbers, letters, etc. The following lines are the same strings broken up into three characters. It seems to suggest that we must break it up into three characters to solve it.

Some CTF creators try to leave hints for CTF participants. It may not be blatantly obvious, but they try. In this case, ROT13 is a hint, and ICMP ID 47 is another. If we look at the list of ROT instances in CyberChef, we will see there is ROT47.

When we select the ROT47 Brute Force recipe, enter the ciphertext, and scroll through the output section, you will see in line 27 that the first three letters start with SUC. If we go to the tshark output earlier, ICMP ID 27 corresponds with 8:(.

To verify this is not a coincidence, let us drop the first three characters from the input section and look at the results in the output section. Since the ICMP ID is 15, let us look at line 15 in the output. It will show that the following three letters are TF2. If we combine the two, we have SUCTF2, which corresponds to the CTF flag format. If we keep doing the same thing, it will eventually spell out the flag.

Flag

SUCTF2023{th3_r1s3_of_a1_h3r03s_4nd_v1ll41ns}

Final words

It was challenging to come up with puzzles with varying levels of difficulty. However, as mentioned earlier, I wanted to create at least a difficult challenge for the participants. In the end, I created two hard ones, but one of them had hints. Some players were just stubborn and did not take any of them. The ones that took them still did not get it. Providing a good enough hint is also a challenge because you do not want to provide way too much that you end up giving the answer away.

Nonetheless, it was fun creating the challenges and seeing them suffer a bit, just like I suffered when participating in CTF events. As I have mentioned in the past, participating in a CTF, whether a player or creator, will teach you something. That said, I recommend participating whenever you get a chance.

BUY ME COFFEE ☕

Did you find this content useful? If so, show your appreciation by buying me a coffee!

How to solve my PCAP CTF challenges

Creation of the challenges

First challenge – packet1.pcap

Second challenge – packet2.pcap

Third challenge – packet3.pcap

Last challenge - packet4.pcap

Final words

WANT TO REACH ME?

Let’s talk!

Creation of the challenges

First challenge – packet1.pcap

Second challenge – packet2.pcap

Third challenge – packet3.pcap

Last challenge - packet4.pcap

Final words

About Andrew Roderos

Footer

WANT TO REACH ME?

Let’s talk!