FM02 - 250pts

Briefing

Download the file and find a way to get the flag. Contents: IRC-cap-vpn.pcapng
Challenge Files:

Solution

  1. 1.
    We can open the packet capture file in wireshark and apply the irc filter since the name of the file mentions irc.
  2. 2.
    Right click and follow the TCP stream to get the following ASCII output:
    1
    ISON RiotCard85
    2
    :orwell.freenode.net 303 RandumbHero1 :
    3
    ISON RiotCard85
    4
    :orwell.freenode.net 303 RandumbHero1 :
    5
    :[email protected] PRIVMSG RandumbHero1 :Hey man, How's it going?
    6
    ISON RiotCard85
    7
    :orwell.freenode.net 303 RandumbHero1 :
    8
    PRIVMSG RiotCard851 :All good, how are you?
    9
    ISON RiotCard85
    10
    :orwell.freenode.net 303 RandumbHero1 :
    11
    :[email protected] PRIVMSG RandumbHero1 :yeah Doing good, been working on something recently. Wanna check it out?
    12
    PRIVMSG RiotCard851 :Sure, What is it?
    13
    ISON RiotCard85
    14
    :orwell.freenode.net 303 RandumbHero1 :
    15
    :[email protected] PRIVMSG RandumbHero1 :See if you can work it out first. I've hidden the flag in it. ;)
    16
    :[email protected] PRIVMSG RandumbHero1 :.DCC SEND "Flag.7z" 3232247681 35289 3466.
    17
    ISON RiotCard85
    18
    :orwell.freenode.net 303 RandumbHero1 :
    19
    :[email protected] PRIVMSG RandumbHero1 :here you go!
    20
    :[email protected] PRIVMSG RandumbHero1 :Password on it, using the trick as usual.
    21
    PING 1604473558
    22
    ISON RiotCard85
    23
    :orwell.freenode.net PONG orwell.freenode.net :1604473558
    24
    :orwell.freenode.net 303 RandumbHero1 :
    25
    :[email protected] PRIVMSG RandumbHero1 :TWFyaW9SdWxlejE5ODU=
    26
    PING 1604488778
    27
    ISON RiotCard85
    28
    :orwell.freenode.net PONG orwell.freenode.net :1604488778
    29
    :orwell.freenode.net 303 RandumbHero1 :
    30
    PRIVMSG RiotCard851 :Awesome, I'll go check it out now.
    Copied!
  3. 3.
    A file called file.7z and a password TWFyaW9SdWxlejE5ODU= are sent. The password is base64 for MarioRulez1985.
  4. 4.
    We can search each TCP stream for the 7z magic bytes, which are 37 7a bc af 27 1c according to the Wikipedia List of File Signatures, to find which steam contains the file. tcp.stream eq 79 contains the flag. We can follow the steam, change the "Show and save data as" option to Raw, and then save the content to file.7z.
  5. 5.
    Next, we extract file.7z using the password we found earlier, MarioRulez1985.
  6. 6.
    Finally, run strings Flag.nes to get the flag.

Flag

NESted_in_a_PCAP
Copy link