Ringzer0team – Forensics Challenge 35 – Poor internet connection

This writeup is to explain how to get the answer (flag) to the Forensic Challenge named “Poor Internet Connection”

I will not be posting the flag here as I am giving you all of the instructions to get it yourself!

You start by downloading a PCAP file which has 3 TCP streams. If you do a search for “flag” in Wireshark (select string and search in packet bytes) you get 2 hits. One for flag.txt another for flag.zip.

One common rabbit hole is to assume the flag.txt file is in flag.zip file. It’s not. This may or may not have thrown yours truely for a little while…. we won’t discuss that.

Basically ignore flag.zip and look at flag.txt.

You will need to carve the zip file out manually, this may seem daunting, but it’s really not too hard. First find flag.txt, you will see packet 1139 (left hand column) is highlighted. You can follow the TCP stream (right click menu on the packet) and you will see that there is a lot of text that doesn’t make a lot of sense.

In order to find the file you need to view the Hex of the stream (bottom of TCP Stream screen, change the drop down from ASCII to Hex Dump).

Next we need to know what the header and footer of a ZIP file is….. Google time.

This page shows that the header should be 50 4B 03 04 14 and the footer should be 50 4B 05 06 00 so do a search for the header within the TCP Stream Hex Dump window.

If you don’t get a hit, start deleting characters, the way Wireshark displays the header means there could be a new line or double space in the header, and the search function isn’t that bright

When you get a hit, confirm that ‘flag.txt’ is just below the line you have highlighted. Then look for the footer (either manually or search).

Now for the irritating part, copy out the selection from header to footer and you will notice you get the byte offsets and text conversion too. With a small file you can manually remove these with a text editor, if not use your imagination ๐Ÿ™‚

Paste the hex in a hex editor such as HxD and then save the file as a zip file (just name it as one). If you copied only to the footer then you can simply open the zip file, if not it will need to be repaired first (which will look for the footer and remove the extra data).

You now realise that the zip file is password protected, shocker right? A quick way to look for files included in the PCAP is by going to File > Export Objects > HTTP this will pop up another window with all the files Wireshark thinks is included. Ignore the files with a number for a name (never did figure out what they were) and scroll to the bottom, you will see a file named “secret.txt”, extract this and you get the password for the zip file.

You now have all the information you need to get the flag for yourself ๐Ÿ™‚

This entry was posted in Competitions, Cyber, Network Analytics, Network Forensics, PCAP Analysis and tagged , , , , , , . Bookmark the permalink.

One Response to Ringzer0team – Forensics Challenge 35 – Poor internet connection

  1. Max says:

    Thanks for the writeup! I was on the right track, but I don’t have enough Wireshark experience to know about all this. I knew about those 3 files from the start, but I had no clue how to extract them manually (or the.zip file). Thanks a lot!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s