Google+ Badge

Thursday, 12 March 2015

n00bs CTF Labs Level 6

Hello, you may have noticed that have skipped some levels. I couldnt solve them at this moment, so I went skipping then later go back and try again. For you people out there who wants to try but haven't knew where, here's a link to the ctf's homepage.

So yeah, here is my solution for Level 6! ^^

As you reach the page for this level you would have seen something exactly or similar to this:-


As expected, you would want to click on Yes to actually get the file. The file you would have download is a network capture in .pcap format. Preferably to be opened using Wireshark or you could use something like tcpdump to begin analyzing its contents.

As for myself, I just use Wireshark since I already have it installed. In Wireshark, it would look like:-


Usually people would try to filter out protocols, however, do not be pissed when you read on. Try searching from the first frame of the capture. Attempt to read the "Data" portion of the frame and see if you can recognize it. Data section is refering to information being communicated, so usually it could bring some meaningful things.

If you cant see it yet, right click on the first row of the capture and select "Follow UDP stream". This option will show you the data. Progress as shown below:-



As seen in the second picture, there are some data being transmitted from filenet-rpc to netbios-ssn. Well, don't really have to be bothered about those two weird stuff for now. What we have is this:-

696e666f7365635f666c616769735f736e6966666564

As we can see, it contains alphanumeric characters. This in turn tells me that it could be hexadecimal value. How can we test this? Try to convert it, duh. Haha, yes, I did just that. You don't have to calculate manually. Google for a website that does it for you, this isn't some school test, do it the easy way. =P I did it here but you can use other websites if you wish, or go ahead manually.

Either way, you should get this:-
And bravo!

Answer is:

Flag is sniffed.

^^ Thanks for reading, hope you tried it before come here =P

No comments:

Post a Comment