Skip to content

Latest commit

 

History

History
131 lines (98 loc) · 3.77 KB

Eavesdrop.md

File metadata and controls

131 lines (98 loc) · 3.77 KB
Raw

It is pretty easy to find the flag with Wireshark by reading tcp streams in Analyze->Streams, but we can do the same with tshark, the cli version:

[user@host Eavesdrop]$ tshark -r capture.flag.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.2.15:57876            <-> 10.0.2.4:9001                   17 1 330bytes      18 1 411bytes      35 2 741bytes    15,175413000       224,2402
10.0.2.15:43928            <-> 35.224.170.84:80                 5 442bytes        5 377bytes       10 819bytes    165,383043000         0,5623
10.0.2.15:56370            <-> 10.0.2.4:9002                    4 272bytes        4 320bytes        8 592bytes    205,301478000        11,8833
================================================================================

There are three conversations to read, so lets read them:

user@host Eavesdrop]$ tshark -r capture.flag.pcap -q -z follow,tcp,ascii,0

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 10.0.2.15:57876
Node 1: 10.0.2.4:9001
        41
Hey, how do you decrypt this file again?

16
You're serious?

        18
Yeah, I'm serious

83
*sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123

        19
Ok, great, thanks.

47
Let's use Discord next time, it's more secure.

        51
C'mon, no one knows we use this program like this!

10
Whatever.

        5
Hey.

6
Yeah?

        41
Could you transfer the file to me again?

25
Oh great. Ok, over 9002?

        17
Yeah, listening.

8
Sent it

        8
Got it.

20
You're unbelievable

===================================================================
[user@host Eavesdrop]$ tshark -r capture.flag.pcap -q -z follow,tcp,ascii,1

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 1
Node 0: 10.0.2.15:43928
Node 1: 35.224.170.84:80
87
GET / HTTP/1.1
Host: connectivity-check.ubuntu.com
Accept: */*
Connection: close


        148
HTTP/1.1 204 No Content
Date: Mon, 04 Oct 2021 18:08:52 GMT
Server: Apache/2.4.18 (Ubuntu)
X-NetworkManager-Status: online
Connection: close


===================================================================
[user@host Eavesdrop]$ tshark -r capture.flag.pcap -q -z follow,tcp,ascii,2

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2
Node 0: 10.0.2.15:56370
Node 1: 10.0.2.4:9002
48
Salted__............=a.....Z..........F8..v.<8EY
===================================================================

We can skip the second one, because it does not contain anything interesting. The first one shows us a literal conversation with a cool command and credentials included. The third is a secret to decrypt.

So we have to save the secret properly, because the ascii output of thark is replacing non-printable characters with dots. We will use the raw option with some pipes to remove obsolete text and transform the message to real raw data:

[user@host Eavesdrop]$ tshark -r capture.flag.pcap -q -z follow,tcp,raw,2 | tail -n +7 | head -n 1 | xxd -r -p > secret

Last step, decryption:

[user@host Eavesdrop]$ openssl des3 -d -salt -in secret  -k supersecretpassword123
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
picoCTF{nc_73115_411_5786acc3}[user@host Eavesdrop]$