Write-up author: jon-brandy
Can you find the flag? shark2.pcapng.
- Did you really find the flag?
- Look for traffic that seems suspicious.
- First, open the file using wireshark.
- When i tried to follow the tcp stream at
tcp.stream eq 5. I found a clue.
- Then, when i followed the tcp stream at
tcp.stream eq 19. I found a flag.
- But the pico server reject it, means it's not the flag.
- Based from the hint, let's check the dns traffic.
- Change the wireshark query to ->
udp.port == 53. - Then follow this udp stream.
- You can see there's a clue.
CLUE : reddshrimpandherring.com
- Now let's access the website by type this command on your kali linux terminal:
curl http://www.reddshrimpandherring.comOUTPUT:
<html>
<head>
<script>
var forwardingUrl = "/page/bouncy.php?&bpae=GbhWt6smolx797uvwVkZt3kXTsk4y6o5kxYr9vEtHeCvozli8ejbu66RQjMt7Id%2F7sjqbfF2RWJS6uRJLVU6cM1l4JPz4jN%2BdEK08uU5XoZTutPs3nk6NJZHL7zrQL9jPzLObHYglnvQjCJOZRjSxzO%2FCVgogGfHMa%2BW9CIiUsvkxfYjbS%2BH7gPMad2eIkvK0lceLuxHaNFOS36EUftr9629OTdxBoJrH9vtM8OWk9YvsYJmsDtXNeyMnbc3jeGSUNaUpys%2FeBFPEBItGU5NvlHEiKjDoy%2B7ARshbjLab8QdkfzGpTdHwX2gAWtyM8aKXAOS%2BcdOaC3eXJW%2FN5mOCl5t%2BYc7uFiRbQz6%2FaOm1RLGwKDH9cpHdb%2BROQylniESiaa0aCJUDFzfFIDLuYHiGTf00Jc%3D&redirectType=js";
var destinationUrl = "/page/bouncy.php?&bpae=GbhWt6smolx797uvwVkZt3kXTsk4y6o5kxYr9vEtHeCvozli8ejbu66RQjMt7Id%2F7sjqbfF2RWJS6uRJLVU6cM1l4JPz4jN%2BdEK08uU5XoZTutPs3nk6NJZHL7zrQL9jPzLObHYglnvQjCJOZRjSxzO%2FCVgogGfHMa%2BW9CIiUsvkxfYjbS%2BH7gPMad2eIkvK0lceLuxHaNFOS36EUftr9629OTdxBoJrH9vtM8OWk9YvsYJmsDtXNeyMnbc3jeGSUNaUpys%2FeBFPEBItGU5NvlHEiKjDoy%2B7ARshbjLab8QdkfzGpTdHwX2gAWtyM8aKXAOS%2BcdOaC3eXJW%2FN5mOCl5t%2BYc7uFiRbQz6%2FaOm1RLGwKDH9cpHdb%2BROQylniESiaa0aCJUDFzfFIDLuYHiGTf00Jc%3D&redirectType=meta";
var addDetection = true;
if (addDetection) {
var inIframe = window.self !== window.top;
forwardingUrl += "&inIframe=" + inIframe;
var inPopUp = (window.opener !== undefined && window.opener !== null && window.opener !== window);
forwardingUrl += "&inPopUp=" + inPopUp;
}
window.location.replace(forwardingUrl);
</script>
<noscript>
<meta http-equiv="refresh" content="1;url=/page/bouncy.php?&bpae=GbhWt6smolx797uvwVkZt3kXTsk4y6o5kxYr9vEtHeCvozli8ejbu66RQjMt7Id%2F7sjqbfF2RWJS6uRJLVU6cM1l4JPz4jN%2BdEK08uU5XoZTutPs3nk6NJZHL7zrQL9jPzLObHYglnvQjCJOZRjSxzO%2FCVgogGfHMa%2BW9CIiUsvkxfYjbS%2BH7gPMad2eIkvK0lceLuxHaNFOS36EUftr9629OTdxBoJrH9vtM8OWk9YvsYJmsDtXNeyMnbc3jeGSUNaUpys%2FeBFPEBItGU5NvlHEiKjDoy%2B7ARshbjLab8QdkfzGpTdHwX2gAWtyM8aKXAOS%2BcdOaC3eXJW%2FN5mOCl5t%2BYc7uFiRbQz6%2FaOm1RLGwKDH9cpHdb%2BROQylniESiaa0aCJUDFzfFIDLuYHiGTf00Jc%3D&redirectType=meta" />
</noscript>
</head>
</html> - Seems we got no clue.
- Now let's open the wireshark again, and check all of the dns traffic.
- We found a different DNS destination this time. It goes to
18.217.1.57.
- Next, apply the filter to ->
dns and ip.dst_host == 18.217.1.57then press enter
- If you see the packets inside, it looks like a partition of base64 encoded text.
- Now, let's follow every udp stream at this destination ip host and concate every each one of them.
RESULT:
cGljb0NURntkbnNFM3hmMWxfZnR3X2RlYWRiZWVmfQ==
- Finally, decode it using this command at your kali linux terminal:
echo "cGljb0NURntkbnNfM3hmMWxfZnR3X2RlYWRiZWVmfQ==" | base64 -d- Or you can use this python code:
import base64
import os
os.system('cls')
strings = 'cGljb0NURntkbnNfM3hmMWxfZnR3X2RlYWRiZWVmfQ=='
base64_bytes = strings.encode('ascii')
message_bytes = base64.b64decode(base64_bytes)
result = message_bytes.decode('ascii')
print(result)- We got the flag!
picoCTF{dns_3xf1l_ftw_deadbeef}