See summary for curriculum and blackhat-python scripts.
In this task we are given a pcap file, which can be opened with wireshark. To observere what is going on, we can click "Follow TCP stream". We can see that the there is a password token:
We try to run the Pyhon command on the token:
$ python >>> Token='TUNBezU4MDc2MjY2NzZ9' >>> print(Token[13:] + Token[:13]) jY2NzZ9TUNBezU4MDc2M
And the flag is ttm4536{jY2NzZ9TUNBezU4MDc2M}
In this task we are given a pcap file, which can be opened with wireshark.
To observere what is going on, we can click "Follow TCP stream" and then it can be seen that there several files being sent by looking at the file signature in the beginning of the streams.
The, we can extract all the files as http objects into a folder.
To get information about these objects filetype, file can be run on them:
$ file *
We see that all the objects contain data, and recognize several filetypes: RIFF (little-endian) data, Web/P image, PDP-11 pure executable etc. However, object475 is a x.out archive which looks interesting. It does not work to use 7z or unzip to extract the data, but we have all the data in Wireshark. In Wireshark, we can copy all the raw data from the stream belonging to the archive into a new file named "RAW". As the file signature is the same, it is recognized:
[:wiresharkobj0]$ file RAW RAW: gzip compressed data, was "who.txt", last modified: Sun Sep 29 07:37:12 2019, from Unix, original size 153525
We then extract the content of RAW:
[wiresharkobj0]$ 7z x RAW 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs x64) Scanning the drive for archives: 1 file, 51945 bytes (51 KiB) Extracting archive: RAW -- Path = RAW Type = gzip Headers Size = 18 Everything is Ok Size: 153525 Compressed: 51945
$ cat who.txt
ttm4536{Banana-limk-shake2019}