RITSEC_CTF
RITSEC_CTF
RITSEC_CTF Forensics Writeup
Challenge : Intercepted Transmission
Challenge Description
- We have intercepted a transmission from the aliens. We believe they were pinging government installations in order to find the locations.
Solution
- Analyze the PCAP file:
- We are given
transmission.pcapng. Opening it in Wireshark, we see multiple ICMP packets.
- We are given
- Filter ICMP packets:
- Apply the following Wireshark filter to isolate ICMP traffic:
1
icmp
- Observing the data field in ICMP packets, we notice that some contain readable text.
- Apply the following Wireshark filter to isolate ICMP traffic:
- Identify Flag Containing Packets:
- By sorting packets based on length, we discover that ICMP packets with a data length of 43 contain pieces of the flag.
- Extracting data from these specific packets, we concatenate them to reconstruct the flag.
- By sorting packets based on length, we discover that ICMP packets with a data length of 43 contain pieces of the flag.
- Extract Flag using TShark:
- Using
tshark, we can extract ICMP data and convert it:1
tshark -r transmission.pcapng -Y "icmp && frame.len == 43" -T fields -e data | xxd -r -p
- This outputs the final flag.
- Using
Flag
1
2
RS{Its_A_Coverup}
This post is licensed under CC BY 4.0 by the author.