• Donald Ashdown

WireShark - Pico CTF - twoo twoo - 100 points


This was a fun pcap & wireshark challenge that involved a good initial investigation eventually leading to several HTTP files named "flag", that were red herrings but eventually a review of all DNS names and a visit to a particular website provided the flag.

My initial process for investigating pcap files, to review the expert information as a starting point and map out the nodes and suspected activities. This helps me stay organized and paint a picture, instead of trying to remember too much information. Maltego, is an information collection and display tool that allows me to graph out nodes and pop information into each node, while developing a graphical work flow. Generally if I can plot down the nodes, protocols, websites visited, and dns traffic, I can take a big picture overview and start diving in.


This challenge presented a red herring that started off with my observation of an HTTP "GET" request for a /flag/ directory. A quick look at this presented an opportunity to decode what appeared to be the flag.

Well if it seems too good to be true it probably is. After spending some time using various cipher decoding/analyses platforms I decided to plot my findings in Maltego and move on. It quickly became apparent that there were many of these requests, all ending up to the same domain. Some further visual enumeration showed that the subdomain had been constantly changing for each of these requests.


a curl attempt to the root domain provided a fake flag...I guess it is in the name "red herring".

|__$ curl http://www.reddshrimpandherring.com
Congrats! Was that tooooo easy?

Flag: cGljb0NURntmMXNoeV9zMXR1NHRpMG5fc2VsYmF0X3liYm9iX2VsdHRpbH0=


└─$ echo cGljb0NURntmMXNoeV9zMXR1NHRpMG5fc2VsYmF0X3liYm9iX2VsdHRpbH0= | base64 -d picoCTF{f1shy_s1tu4ti0n_selbat_ybbob_elttil}  

From here it became clear that some of these DNS names would be red herrings. I exported all HTTP GET /flag/ responses from the pcap, and used a simple script to read each file, convert the base 64 characters and provide me a list. From here it became clear that the flag was the particular one that referenced DNS data exfiltration, which was the observed attack vector through out this challenge.


FILES="/path/to/*"
for f in $FILES
do
	base64 -d  >> /n output.txt
done

picoCTF{dns_3xf1l_ftw_deadbeef}




530 views0 comments