On The Wire CTF Challenge | Created By Tiberian Order 💀
#OSINT #TiberianOrder #CTF #Writeup #Wireshark
Tiberian Order classed the difficulty level as: Medium
Greetings Special Agent K. One of our field agents in Malaysia managed to physically breach the office of a corrupt politician. Doubling as a mole for a Chinese criminal enterprise, mostly smuggling endangered animals. In this case their evil business involves shark fin trade and other exotic food items.
During the breach, our agent successfully obtained several pieces of information on the organization. Currently this does not include their name, as they only communicate using anonymous messages and codenames.
We hope that the information, which includes pictures, floorplans, data dumps and packet captures. Will lead to a more complete picture of this organization. We know that the Malaysian government will be exceptionally happy to get this criminal enterprise out of its borders.
All data has been divided over several agents. Your segment for this contract is the analysis of a packet capture file. Figure out what is being communicated and find the message that matters. This message will lead to your Contract Card.
As always. Special Agent K, the contract is yours, if you choose to accept.
The file to analyse was a .pcapng file.
A .pcapng file is a Packet Capture Next Generation data file.
The .pcapng file format is related to captured data packets over the network. The Packet Capture Next Generation file or the .pcapng file is a standard format for storing captured data.
The usual thing to to do to analyze a .pcapng file for many people is to open it with wireshark and then search within wirehsark.
Wireshark is not user-friendly in my opinion, trying to find something with Wireshark can take hours or days.
With GeoIP2, data can be gathered on all the IP adresses that are present on the packet capture file. Viewing all the endpoints is important and can bring some good intelligence.
Here is a few screenshots of what GeoIP2 combined with Wireshark can do. We can see below that we can now see geolocation information on IP adresses, city, country, ASN, which is something Wireshark doesn't do without GeoIP2.
This is fantastic and helps understanding better the full IP architecture of the .PCAPNG file. This is also a feature of GeoIP2
As I stated above, I hate analysing .pcapng files with Wireshark, it's not user friendly, it can take hours to find something. With APackets Analyser, you get a better view and understanding of the packet capture file, it's then much easier to find some good intelligence.
Below this is what it looks like, yes it is much sexier than Wireshark !
- I opened the file with Apackets
- Went to DNS Detection from Intercepted Traffic
- Found the Pastebin
- Got the bit.ly link to download the Contract card.
Many people think that only Wireshark can analyse .pcapng files, and that's why it takes them such a long time to figure things out.
Very Good CTF put together by Tiberian Order: https://tiberianorder.com
