View on GitHub

cyber-camp-2020-writeup

Cyber Camp 2020 CTF by SANS Institute Writeup

NM01

Category Points Difficulty
Networking 250 Medium

Solution

After extracting the file, we are left with a pcap file. To open this file, we need a program called “wireshark”. Opening the program in wireshark and looking through the data, we find two important pieces of information, carried over TCP in the 4th and 26th packets. The two requests of interest have the following data:

546f646179732066696c652070617373776f72642069733a2053656375726550613535776f726438210a

377abcaf271c0004005d66ff9d0000000000000021000000000000001dd35f780d33d3d96b4736744d7a1a04c2341a73a68b2a1aae53d1bf3469a439dba46e0a0000813307ae0fd00eb03c9f39109c9fa6d533da7f1f33e7c9d59f4b0d385292c9ee2d08d1e40d681b121d894fe2da102dd1311928246708b494f0c1edc0017a8202f1398f964cb17f8c1fe13d4c80f9d76775dff12dcf333eb79bb870db79c97ef2e0ea2279c2836292279086a9a8a2cfa067e1d1c05b6d93d200000017062001097d00070b01000123030101055d001000000c808e0a01382d10310000

Decoding the first line of hex code gives us a password: SecurePa55word8!, which we will need to decode the next hex line. The next hex line is a 7z file. We know this by putting the line into CyberChef and saving the output to enc.7z will allow us to decrypt the file. By running the command 7z x enc.7z on Linux and typing in the password, we get the flag.

Flag: capturing_clouds_and_keys