For level 6, we were being asked to download “sharkfin.pcap” to hunt for the flag, which means that we should probably be prepared to analyse some network traffic. As hinted by the file name, “sharkfin”, let’s open the file using Wireshark and analyse it.
Usually the first few steps that I would do when I open any pcap files in Wireshark is to take a quick glance at what protocols of network traffic were being captured, then look into the more popular ones such as HTTP or FTP.
In this case, I followed the UDP stream 0 and gotten the following string which is probably the flag,
696e666f7365635f666c616769735f736e6966666564
True enough, it is an encoded hexadecimal flag. Using Hackbar, I did a quick conversion and managed to get the flag for level 6, “infosec_flagis_sniffed”.
Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz