Write-up author: jon-brandy
Can you find the flag? shark1.pcapng.
- NONE
- First, download the file given.
- Then open the file using wireshark.
- If you follow the
tcp.stream eq 0you will find no clue at all.
POST /wsman/subscriptions/EB489718-F373-4F7F-8493-B0D1503B3C3E/37 HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/encrypted;protocol="application/HTTP-Kerberos-session-encrypted";boundary="Encrypted Boundary"
Content-Encoding: SLDC
User-Agent: Microsoft WinRM Client
Content-Length: 10990
Host: wef.windomain.local:5985
--Encrypted Boundary
Content-Type: application/HTTP-Kerberos-session-encrypted
OriginalContent: type=application/soap+xml;charset=UTF-16;Length=10687
--Encrypted Boundary
Content-Type: application/octet-stream
<...............)#o..u..=4y..p..0h..8..D..0?. ..
...*.1.$]D.Rf......B..M....r..t.`-[/WXW.]..w...7.M/=~)...........[..~..GB.U..*h.K....3.}i..D...t)t........
.3.6XdF..mD.p...g.!....4.......h.X....Ajtu.G.$2q..<i;H..M
y..`.r. .d..........v..7..Q.@...._#.k Q....H..`..h....V$.Q..'18.?.T..}.<s.....]3..3P(...{...........0.m.n... ..,.M...m..E.E...Eq[.c-8g.oXC....
.O........[|t..(.#.E.X.Q...w.`.}2.Z.......l..#.!.*.:o.y..?...V
....?&.f/..3l.6;..o@(T..Yv{.T..<.7..D....5.E..8....V....6..9+].U_s.H,Ax.........&^:a.z.\.(.^#~n.Rr.v.R..9.....p.I.3...C[....@:.-~f.s.@........H.-....... ...t.N.}~.)."`\.gjJy.v.F?.M......~6+R.
.d...Q..&.%.c^...$$.`......./e.mv....v.. .ow~........M'.......{... ...3....LO..h.6.h...x....fH
.).8c.f...0..:-..W....sx....'....D9.....*..s(..6<QTL...._x^L._
...q............8.N._..,O...P-tk+.......H.Aj...2....n.*....4jAb.W)..Xix..?.!.......W.....t.."..
g.......S,......?'.5/.^.1...}..h."....s.J..$H..T.dD4.F.<c.....k..........
.,....`.-..:.6..&.6....."[D>.\7..K....Eb..E..,?u........./....wh..r#....E{A.'.....Y....d.O.D
`T.0.3..b..#...X%...I..~.5....+Y...eq..7.@Z3.5...k.f.q.v..
.g ......3.j........j8..Y...lY.a$.xlfi....o.a....>...I..0...s[......8..u7...o .k&.?..d....."..N..e.Q.....P.7....n.s....L^.... 8.
.)......V.<.%.(..*..;.......{.B.#.^..... .%.... ..Q..^.fR....b.1w.V=FH..\b,....^J.ST+.....AK..l......E...R ....3.. ......t
4..5.....j....L<...~..1...E......L...9....0DV}.OF|......<.n@Z....],.*...H.}..B... ...Z;@....R/::.57f..y...../..H.A.m..C=...G?......"(v?|. p.. .....{..r...U..~.. yH..;..m.-/...~J.2......J.`.
Q....R.....\-.3....HM5..}.....@2...d..W%.`.I....f.....5_._..c.L.Sh...^|...@?.b..
,,/W...........?..,.?......D...CT._6V.....K. ........\.`J..A-.9.......'F./.J.E....3....4.....^..~ ...Z...<-;.&(.o....7L<.J....... ...~.x..ri."}...1PZE.+)f.....\x ..5v.{%....&...>..h...J.h...l.x}n....X@....c...u.H...-..G.0.r....r.o..".v.[..^.4Z..Q..~DG....Vg..gxC..; 7.k...s{......rz{P..7c.w.......+...B.Lf.oh`..........0.....Y.....k...I...v..]#.u..w[y.'....K.-...@.....0P.._%g...$S.Z[x.............Jp.1n.-m5J.s.R...U..n(.;/..xG.C.....>.=..g+.=L!qq..o.)..~H....8Rq....w..@..6.
..-Z.T\.........
..R.....^..r...&N....g>...X..1......q.6..Xw..0iX[[no......z.....IG......r.M.4...q+78 .F.Z..f..N..6.p7.:..1........EM.K.2..u-.)._...L...F
..x.y@=..h....-$.pZ..D`........`.V..aaI...ic.d............g....$.....$.j.2..TZ.P....|.;.|k-....?..D.m.8a..t...'....mV....|K.D77.a......(....-.&i...SD.7/...+.z.. .
O.........7Q..h..I.l...MMEMj.^I.u..c4v~.y .%UH.3._c..[...8.Y5X.t!.].....0...f..u.?[......1.c.5.7.R....y..kE..N....
H........n-.)Q...\.gY..d.<.&...W.V
...GQkEd..%...4......`..~...L.2X..
{..m.|....4.o-.W..M.......F....J........u&.YS........;......HA9..0.D+.......L....+.........p$.+......0...U3.G..7O!....v.^......]..B.`O.......2...d......p.'....8$.v...>a8=mz...
;...7
.J`...f...x.=.^<.`...X..l .:.u^%.a...`xZi...M..6%.q........\0.f......I...t.*..3H....x....G.XB.~.
a.....L..L)....O.G<...<r.o+$....{..H.Qu.:^.Ar.g.i..<.X..,r.....jv..:.!..%.G. .lQ.x.....K.V<.T..@k.Z9........Qm25lA.... ./..6..N....V.A#W.n...X..i.....I.I..,.j:.NO'M....k.....U..u1.y..yB.Yn..c....Nq.................g..b&Al.....<6...6T.4.w#.....Z.y..E..y..$...f.3:KG/....M....g..
..\..$...e../s._Z.J6...a..7..r.....5.J...{...........7x..
i.$T..`.w(.Z....T[x.."..Uh 7.`..my.._.......ZW..........BA...ns.z..rF.`....\.....^....Ld.
.y.4}.B.....nR...O6_(.x_.NC.W6...DI.R......fEk...36o...
..8..Q..D....:en.;V.....(B!E...FALV.m.v..^..*w}T..,y.K.!...UbK.. .e...t.<........... c.:..rTk>T<..M!...}...wbh...=+....o...I.p..r..C...PD...P...Ot..|...L.......Y.z.. T..H.Y.9...Dr.X..)....t3+...1...xk....dA.....k...w........S...K0...C......*b./.Y9.O.~-4.......0..E. .Y.%..|G9..
N...T........0q..S..M.....11@.(.b..a..{O.o.....9>.............W:...>.xQ...K.l."...A..m[. ;8.8.......y|...jE... ..>.72NHG..9.]!3)..V.9-......-.
g..y...y.ew1k..S.UK.s.....|......?...kc.H..Y+...O.".....h>._rKL..6.)[_....o......s.N.
.f..M..\df.Vx.8...;.^...T+K&..+5.
.o$}.K ......km..k.(...(
6W...b...(q....
.=.g..+.&.d2c.......Kx.}T.......a~.xAV2)..Y...y.3.l$g7..".~)...g....d...qF.F..EL.'U.k....D&..6...iEIj....)i4..K
.. .........u,...|...<....r<.}..&]8.3.Ug......Y...w8T...z..\..,....
63?....a...?6..kw .q....H....x.<^>...WLJ..|.B......fB..f
.......WS.....X....Q.m.....
H.....g......./.r...#.....L.8.....tN.....H.r..F....4...{..cQ.;....CE.-u..7...}b.)1
.....TO6o..n...!.{.3..~....f.@...e#.F..5...k6...^....^.....n.l..V.]L..
8..s.....~.M...w.>.KfK.C.....v.....(...U....(.j&.||...j...J..................Hk..cO#.g..t.[.U..).....D_M_.k.G.._.q..N.....u..Y.B...Oc. ^.e2..h6.(....|.....;..\op%...`Um~..O.W}.l".Z.-.>...PAt.qno0....r..-....^{o.3d......w?.Pk{.....|.F.q...l.....6.d&Q.M.
e..&.(.......qg.%.C8..(....y.g!h.....PK.-.6 ...kh.V...j......r.R0.......(/.-r.e....|.J...8]^..R.i....'... .D......P^*.C....8.......6s.B..........%K..s..%..*...9x.....9.z.l'..X..R"..<.(X.{@=..T..7....p.za......?.u.T.v}...._S..F.W......!.j..*$a./].._+.m.q.X.i....v..........".. ....j...K)v.....+
..........ptB..z..hp..<....5....j..\97>..k...Bll.H... [.E3...........LB..........#...Z~../A..y.....:..5.3!.&{'s{.M.<...zI.:.....m.B:.5.B... ....%.%.:.2.S.?.&N..Q...l+n..y^.m..A.B...zF.0...
....:@..!i.p5..h.....v/.&3}c....5b..*.#x...If.By
....)j(.@...[Tlz.N.Dg..Sl6.#&.>.f...._[....S.x....{%.S.#&...?..)...j9.).a....,..^..8.\W...`.[.xp[yq.F`o....~.*.Zd...] 4
...5,gu....Q<.(.x.tx.lJ.x.......Y4........G......7{.......$+t..S}..@.EU....aL>.n..&Eu...U......B.........
...."(!.z..2...d..m.<Y..H7=`k......<...=..8d.W...R.Q......d./....H...bl>..
......*....{`..;O..p.2....[..s..=..8.;....Z.B../.g..(,N...uQ.X.
..>.....J.,...B'..L.;$....X..*T|._p...F......*.....*....G.. .5.....#..JXt..UOr=LF.....5.............{.......C2.....O..........Q!..6..J.&.Z.. ...}..
m....)#3?..2........G.......Q>.".b.H.z6.o..y.K2`.b.xc....2.....e.I. q.<...T.|.)x...n..'.eu.J.. ...^T>...&Z....K.i......Uo.22.%...}... ...p.K.M.n.0.!r....B*2YW
.].....F}..'!.......D.x..:........O.b\@...Ob..o...G..U.X..p<I.6.<a...P."QL.[^G."....kO...C..wI...64.fTm.F.."*.r..x.~S.|..K..1..~e......U..q.|.....B..W...6@...',....&....]W....B....=nn....}s.$\...
.I...........].C...f#......1.l.).,..1.......v+....#......kr....~.v...V..&.. YL.`#.`.pa......9.p..(y.Ta..xc.{-...@..$pNh[.v|?..R.<Rnqv2.S.&...eI.....AlrPoe.y..V.meH.pC..;|0......s.O.t.a m.X*.%.1.q."|Q..1Z..K=..j+O.. 9&...}.G.1....1nJ*.4D6..(^
...N\o..z;...>...+...w..BaAp.Z.~dX..^=".U..|.........!
.h.d.#.1H..eHi.....H...DM.+..._........`..@.$.............M..a...;E=..D..c~T..p........O..Jo 2A.W......1.......=Q.!.,8i...~..e.}. .U5#...&6.]........-K]...0.W.+.-...J.A..LJ...]s......%cT.8.......;.;B9'E..g^~....J..5JR-g.|.._.....o...A..o..+S1..?..2(..K.6.]2......c-....e...j.i..0AG..e.....xDm.D.t.../.....r~...NQE.%.My.b..l.W.~#.#... .1{.}.a[...\...C.4" Y.W....<3...tE.5.....i..R@.....VV....,...".<..,C..]BU...(z_..,.b.<..n=.....7!.f.R..$..d.j..h....n;;.!M..i..V(9..skj..*...*.....S....L............Y..b.<l....4`...:XN/ki.Z..P..cc.w...a(....9(..%.C
=..E3.4.j.U.:.T;.`u.6 ...g_@.`.=..........t......L>1=8&_x^wV.B...
.J}.d...m...."..,.R..O..6..6..0.J..Le.4.M.._1....(\[...jG.P2.9H..+GBs58...0Q.
.B.N+%.O..b.....,[....E.'&.Q..k.5.nSCx7.3...b.U........c....[.J.V....{.#......|..&....>.....#.<..o.[.NI.Mc1W......yE..7|.....S.Q".[......%2-....]M..E+...S.E..T}5..1.=.3.Ne.0..;..[m4((..K.L...?...\..=....w..-s|.....6 w.M8.R.#.pEq.O....G...0.~...Y...... R.........=*.........2.p.D.z.....:+..?.8... ,..S.P..q..n_}...CJ..C..^.}/..../.F.:3.. XY.L..M..*..3...i3.^XU.M.He..g(Y..u..Z6..q.Ea..............4..1"O.."b.!.9.........^.TB...t.n..0...... pr.........Z.'...+a....c..t..vv....V
7t...8.2..T.....
!..~......o....w.i=[............m..].I.......O...D K...9......uC...{GR:$...%..z...`. 2v....
(y.L..fEq..;H....2.p...Iu.m....
..............=.#` r_$l.................v.'..........mm.q@./4....:/.u;R=.z....7.dF.9hn.={...?.4..1v.....6....F..e.a..'>k7{....4CR!....H...Q.sX.2d.*...G.lK.|Uq..TQ....Y.o.,...b>.P....6...z..z../...u.H.^.@..W.g2^Y...'cK..r......B......I...FmQ..Z...%.|a*...W....../....G.P....Wy5s[...1.... Z.......|..qC.G....|.....-<.......d..*...].'....>*._....q..W.....pA..Q. !uI..oo\..]..|....c......#R'......z..z.`.M;.|.\D......].a".?..O.+Z..L..`5..I"...%.{J-..*....~.....J.l9o..[............4.+[..T..d.D[D.$.Z...?.7Hv..I..........."q. D &.'.3I........-.1s...+.dm.{.Z..f.2...O..a(*LIR77..#.2.E.R~.4...........$[:...zo.B@...r..s'.g.x..u[..4=.}.7.'bWN.)....9......k..t..H........E..... ....C..>.W.....]..}..(..U.1...&vB%.>H.@.;r...
..s./..Z........3..y0..sO.F. I.........,..C? ...+F.,s<3.......(1..y_..If4G.c{..x..sg.. .... .
'>8W....$...Rz.u..P...
..D...C.\..T{4..2..av.........Z...gJ4}2.).x...9g... i0....../..`*..].[..g.{...........G.@.. n3.V..... nU
..x[.gc.Y`. .>.....+zhW.i.Fc.....e.}.w/.].R3.h.RlZ0D.- .&.F...m/3D..^..i..2..
j.p...M.N....r[...G..rk/..:..A~68.>.;....Ik|..g.n..._1-H..>.T.p...|BD..|l\...
....I..ay.C...j&..r..c...q.....U.4.4......m..7k:rWY.....".MG.MK.a....H.z....3~......
$^$..f.....&..V.5.9^....\bq.O_....T..1.v.=.....jT....<.W...j^..z..?@...#/...Q.M..#.......!
.+.CB.
..z..d#..W........B..WY`$&u.P...s7.~.m....W.^.l.~../...%$....Tq.k.rd..)0@....D.....DHh.._.....l...4LR..Q6........D "..... ....... .WcDLG......[.t...BcS........9.....=..-...@=...P%..`...T.../x.rQg:.p..(.&.....
@
.<^.G...T[.........eV...6_@\^7@/.........B.t.c..g2.#..'.. .Q..@..\#..D.....6c.3...
..>j..L.7z$.pF.|.0.v~.6.X.F..*,...
....J..6..
t61^.@,.w.R,..`3..b...1r..ZK_...V.....4..-`....r....0...e=..O....Nh....D...`m2Lf..#.........!..........y3>.n......qc.$..BC*n..L.1.`.8a.k
.....V...@P.....uy...(...t..2......f....%.#.EiJ.s.#I..
N.....~..s......m.....B...#...qy..k.5.`........H..c7..^Cf.Q.%{.J..D.r....ve...........Y.7.n;V.%eu.pV..zB......@...7~.;..
"l.....z.j..M'..-.........F...../.'9..t.LR.#.Rg..s...~X...J...!......-.IC.P.kR(..d.a\.q...7........~.G'|v..q..<|.....8.9b...#..9d...7.40.AVIk.v9*;k.4v.......d.......... ...o....1.6).k.v..N.... .....
...1mc'..._...........v6.1SM.N.<.[^...R...y.............YJ.....K!O......H...s......!....+...$....oVc3.....D...p.
..!..p..B0R..&..* e./......h..gW..R.%..JT@.....M.!...L..I....8v..c....Dpc....J.....B..!;.g.E......"...............o.Q.N..ad>..(.L.r.q.......{......j\.:..$#.....Oh...I......6i.L........*......pN.-........ .<SB.....Iz.......A\(3....{#..i......6H...........+...9..R%.s.1m....f...X..=..P..9..A....A... .0..."...o.|.......,...J.|..!.....*....R..;?.........Z...{ ..X.
...."..t...
-.
0.;......j<.l!....Aw..XJ.r.......7.e6&...njL]7.E.,Rj...K.$...`;h..z..Wb..<F,...\.=m$.y...x...c....`5...d.Yp......TA.....p...+.._W.1..... ..[...Mn8a.9.m.....}.KX.l.....j.XD......@.*.R.Xl.( N...^.....k.5` #.h.'....$.`......6..;
.BLO....I...G/x.V,.}9..{qfH.xt.C.?`_n.=;...................(....9W.+xa...).+.i+.a.4.Y^=.^h\.KF.B;.p....J_c>n.._..E...;....%[..NT.g._....Y^.+P.......8....g.O#;.....F.........3..d~8/...o..K.{....sF.D.pa.".K<.i.n .B..L&.LqPk..
..../ ....W.9X...F.0...~i.............S.}.{oG.j.nl.........x.e6--Encrypted Boundary--
HTTP/1.1 200
Content-Type: multipart/encrypted;protocol="application/HTTP-Kerberos-session-encrypted";boundary="Encrypted Boundary"
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 10 Aug 2020 01:51:40 GMT
Content-Length: 1732
--Encrypted Boundary
Content-Type: application/HTTP-Kerberos-session-encrypted
OriginalContent: type=application/soap+xml;charset=UTF-16;Length=1430
--Encrypted Boundary
Content-Type: application/octet-stream
<.................X.]..Z=+..J(.]y.rdtT.$"...x&'?...>.<..[....s...bK2.}....l>u..L ...3!.S.E.-.]......r...@..XjI.3...1.4..Y`..9..p..c.u. ..lS..x'\...m...L.A......X..eJ........U.....0.J.^..=...3......Bk...FU.Q.)'X1j.G....[..........
J.......$.QN.`E-.!6PN."&..xG3....Pi6....9|...7.4..u.F.>.......y.....I.XN..].Hu........ j.D....6..v.m7D:Q..;.Q7..LD...aD.........m.~_:......... ....2...Y.E.O...."....m....... [.......f...M.f.g.
Pl./.....EoK.P.S...EO..}.,]........&.F....F..mv%H.Z.,........H........L.5.V.t...SK..M.)... uA"R..L0.....^....|...........k....;?#.&...E..GjPv...e.....@.x.#Qaw.B!.gI`'.2.....Q.c..M.}..OC..5..Ga4..[.M....U r.Q..y....f..b...&...3.^.....{..l...y.....j.. ..Z^.......).H...1LyD..{...
.g.3S.n!^..v..$r..;=.S......(.....YR.Z..5..7.....~..L....q@....`.|.S;.%.fR[?&........b,....u.V..Ly.@..c./..x0.-p&......oGw......G.).ks...$X7.v7..1%DZ..5...5NajTm...j.......... \.V..l.
NhP..[.g...=<QJx\.9....V..t..T.U...@#..y.{.. ..o.v)LDm...p#.....P.._....~ML"...[.p.0.t.....%...s.H.^...P_...y.-H.1.P.)..s....=..i...c...o....Ms6.\..x....0...?.`......2...
....@.\$..E...l..D3.k....%
M........|;..."..6..R........)/.t`.H..j.....@...r..p.1...b.ew7 ...9....W..}....Km.<..........MJ..G.m.:1..Q..J#<.B.....f^ ..p;...d.o...'U.......8.`.J..rh._..n".i.(*..BA....4...;...Q.}.......A.K..1.....@.|..t.'.qAR.I.3...L.....0.$.}.%....`.2.2...}...}9...Y.m.s;..k.....'......f'uc...&k..|xZ...P.{~^....\i....^`
.UG..b..z....x.p.F...9...EA....&........U.,td..BL.......Rj.!4.) f.{.a...C.......Y..jI]...Du..Y.....JJ&--Encrypted Boundary--
- So, i check every tcp.stream, until when i was in
tcp.stream eq 5, when i followed it, i found a clue.
GET / HTTP/1.1
Host: 18.222.37.134
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
HTTP/1.1 200 OK
Date: Mon, 10 Aug 2020 01:51:45 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 07 Aug 2020 00:45:02 GMT
ETag: "2f-5ac3eea4fcf01"
Accept-Ranges: bytes
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}
cvpbPGS{c33xno00_1_f33_h_qrnqorrs}-> it is known as the ROT13 ciphertext.- To decode it, i used this python code:
import codecs
import os
os.system("cls")
val = codecs.decode('cvpbPGS{c33xno00_1_f33_h_qrnqorrs}', 'rot_13')
print(val)- After run the code, finally we got the flag!
picoCTF{p33kab00_1_s33_u_deadbeef}