[Forensics] Square CTF - Sniffed Off the Wire


Sniffed Off the Wire
🚩
Sifting through the noise
100 points
Forensics

After weeks of perching, our avian operatives captured a suspicious network flow. Maybe there’s valuable data inside?
https://cdn.squarectf.com/challenges/sniffed-off-the-wire.pcap

We have pcap analysing it in wireshark, if we follow the tcp stream we can see alot of strange characters:



This strange characters are known as terminal characters, they can do alot of things like changing the color printed in the terminal and do alot of other stuff. If we print some characters like this in the terminal with c/python/perl/ruby etc:

1
2
3
4
5
6
7
8
9
10
class bcolors:
HEADER = '\033[95m' with
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
print bcolors.WARNING + "Warning: No active frommets remain. Continue?" + bcolors.ENDC

It’s going to print the text as yellow in the terminal, those characters on wireshark will do same but with another functions not just changing the color, first we need to decode all this hex decimal in the data field of each TCP package:



Lets use bash to get all the hexadecimal and convert it to text:

1
tshark -r sniffed-off-the-wire.pcap -Y "data" -Tfields -e data.data | tr -d ':|\n' | xxd -r -p

Those characters are actually writing the flag and then delete it, I actually needed to print-screen the terminal, with this I ended up getting the flag: