Welcome back ! So recently i played RC3 CTF 2016 as a solo participant in a Team CTF event ! The over-all experience was awesome, great challenges and good learning experience. I scored 3015 points and finished at 41st place at the end of 2 days of the event.
This was the First Forensics challenge, when they provided a pcap traffic capture file. I initially opened it in Wireshark and as we can see the content is about Captured ICMP pings. There are over 98,000 packets. I started from the bottom and saw the Data (24 bytes) of each requests and replies.
It felt to me that it might be in Base64 format. Then, the struggle begun. I had a clear idea to extract the packets using tshark . I fired up my tshark to get the packet Data. For that, i used a logic where i choose first 4 characters of the Data in hexadecimal and then decode it to get a Base64 & further decode Base64 to get the flag. But, there was a issue. Some of the data were duplicate. That said, i needed to extract packets of source or either destination. I wasted few minutes before figuring that and I filtered out packets from ip.src==192.168.1.1 . But when you look at the packets, not all packets you get in hexadecimal would be of same length. Most of them are 48 but few ain’t ! But that’s not an issue, I planned to code to counter every issue automatically. So, i used scapy and automated the process.
#! /usr/bin/env python from scapy.all import * import base64 chunk="" readthis = PcapReader('somepang.pcap') # Read the pcap readthis = PacketList([p for p in readthis if p[IP].src == '192.168.1.1']) #filter print '[+] Source Packets Filtered' for p in readthis: ip= IP(p[Raw].load) chunk=chunk + str(ip)[-16:-14] print 'writing' #JFIF Headers so it's an Image target= open('flag.jpg','w') target.write(base64.b64decode(chunk)) target.close()
And Ta-Da you get the flag ! RC3-2016-PANG-ME-LIKE-ONE-OF-YOUR-FRENCH-GORILLAZ
This was the next challenge i did, it was about an Android decompilation and finding Flag from it. The Hint said “Don’t do dynamic analysis”. That means the first thing you would do is to turn of the emulator and turn on the Decompilers. I decompiled the Application. And started looking at potential suspicious files. And flag was RC3-2016-GOTEM21 inside properties file.
This was a fun challenge which includes 3-D Image analysis, which i mean is the most awesome portion in Forensics. The Obj file were given and we have to carry out analysis. I used Auto-Desk for that from my Mac. I analyzed the the 3D model, than i cut off the X-Axis at a particular body-part of the dinosaur. Some Text was visible, i rotated the 3D Model 180 degrees and place a Cut on X-Axis there and zoomed it. Getting the exact position, i was able to determine what was the text and it was RC3-2016-St3GG3rz
I will update this space as soon because the CTF Site is currently down so i am unable to see the Questions . Once up i will update some other solutions too 🙂
I have Kept Solutions for WEB 300 and PWN150 on my twitter as they was one-liner exploits 🙂
.. Anyways, I solved
4/4 Web Challenges
4/5 Forensics Challenges
5/5 Trivia Challenges
3/5 MISC Challenges
2/4 Pwn & Reverse Challenges
4/6 Cryptography Challenges
Follow Me : https://twitter.com/aaditya_purani