the solution is the md5 of the decrypted file
Looking at the pcap file, we see quite a lot of requests to windows update 220.127.116.11.
GET /msdownload/update/software/svpk/2011/02/windows6.1-kb976933-x86-neutral_665ea0a805bd97f70045674fb4d5fd048fd81516.psf HTTP/1.1
I wasted a lot of time scrolling through all those packets…
Finally though we came across a convo between 192.168.1.20:49341 and 192.168.1.21:5050
Following the TCP Stream we see:
hey herp hey derp sup dude, u remember what we talked about earlier? yeah the ctf keygen :D hush dude, we don`t want them to log this i`ll send u a chat that supports encryption open port 6060 and listen for a file transfer ok, gimme a sec ok i sent it to u fine i got it switch to cryptcat with key Dagaga and port 7070, ill connect roger that
So based on that convo, we can limit our search to port 6060 and port 7070.
In Wireshark, set filter to “tcp.port eq 6060” to see what file was transferred.
[email protected]........!..L.!This program cannot be run in DOS mode.
Based on part of the stream we can see that its a windows cryptocat lol
From the convo, we know that they established a cryptcat connection at port 7070 with key “Dagaga”. Let’s set Wireshark’s filter to see port 7070.
Since this is Crypto, amon gets to come in!
Now for my part of the challenge, it was pretty easy going from the pcap to extract the traffic on port 7070. Looking at the conversations, we can see there are three streams.
Stream 1 contains no data. Stream 2 contains a conversation. Stream 3 seems to be dump of a longer file.
We can extract the data by extracting from the ‘Follow Stream’:
Now, we have extracted our streams to the files part17070 and part27070. We can set up our cryptcat listener with the key Dagaga.
[email protected]$ cryptcat -k Dagaga -l -p 1337
Now we send our extracted streams to the cryptcat listener like so:
[email protected]$ cat part17070 | nc localhost 1337
The decrypted conversation:
[email protected]$ cryptcat -k Dagaga -l -p 1337 here yeah ok so its stable now close and i`ll send the file we talked about on port 7070 too ok bye
Now we have to start cryptcat and listen for a file. That md5sum of that file will be our flag (as per the challenge description):
[email protected]$ cryptcat -k Dagaga -l -p 1337 > decryptedfile [email protected]$ md5sum decryptedfile 32170cab0f59ce6e1fc8df51a757cc99 decryptedfile