ASIS CTF 2014: forensic

May 13, 2014

After extracting in this challenge we get an arguably big pcap file. As usual the problem here is to look for just anything helpful.

A valid option in challenges like this, is just looking for all the files that were downloaded, which you can either do with wireshark by “Exporting objects” which is quite tiresome in this particular challenge, because of the big amount of files that got requested throughout the session.
The other option is to look for the “conversations” in the capture and sort by packet length, which I finally did after a long time of scrolling through hundreds of useless packets…

001

So the largest file in this capture, was a file named “myfile” downloaded from a rather unusual port of a server, that is no longer reachable (and also in the same subnet as the client. Interesting!).
It seems we are lucky, the file at least looks interesting as it is another pcap file. Unfortunately wireshark can’t open that one without some fixing beforehand.
I’m sure there are many ways to actually look at the capture file but I just downloaded a program called “pcapfix” which worked quite well. After fixing the file, wireshark was able to open it.

My joy from finding this file faded when I saw roughly another 20000 captured packets. However remembering how I found that file I opted to do just the same thing again: looking at the conversations and sorting by packet length.

002

Now that’s very interesting, a telnet conversation and some huge files. Even though the telnet conversation seems interesting at first, it is not really useful…
However there are still the other three files and indeed, after some time of looking up what port/protocol was used for transferring them and what kind of files we were dealing with, we find out that the three big files are postscript-files.

When opening those files, one file tells us the flag in ASCII art:

003

2 Responses to “ASIS CTF 2014: forensic”

  1. Hello, i fixed myfile, and try to export HTTP file, but received 1 file “object17825”. And dont know what to do

  2. In the fixed myfile you do not have to export HTTP files. Look at the conversations. In the TCP-conversations tab sort by bytes and click “Follow Stream” on the biggest file. Now click “save as” and you get a postscript file. (see picture 2)

Leave a Reply