Browse Tag

wireshark

n00bz Level 13

Hacking for n00bz – Level 13

Level 13 require us to find the backup file for the challenge. Well, looks like the search for the backup file is the challenge itself.

n00bz Level 13

I tried to navigate to some of the common web pages which I can think of, such as /levelthirteen-backup.php, /levelthirteen_backup.php, /archive.php, /archives.php, /backup.php, /backups.php, and etc., but there seems to be no luck. After that, I read some forums, seems like some people do quick backup based on dates or version, such as /levelthirteen.php.20160520 or /levelthirteen.php.v2.2, and etc.

And then there are also some people who conveniently add a “old” behind the file name… such as /levelthirteen.php.old, which in this case, is the location where the backup of level 13 is stored. Trial and error – checked!

As shared in my previous write-ups, I like to use file and strings on any files which I come across to perform a simple check. And that is exactly what I did.

strings levelthirteen.php.old

Based on the content of the backup file, we can see a new PHP code snippet which prompts us to download a mysterious file, “misc/imadecoy” – just the same way in the past challenges. I bet you are getting a hang of it by now. Let’s check what is that new mysterious file we just downloaded.

file imadecoy

Below is the output:

imadecoy: tcpdump capture file (little-endian) – version 2.4 (Linux “cooked”, capture length 65535)

Looks like it is a tcpdump capture file. Remember we used Wireshark to open and analyse the pcap file in level 6? Let’s do the same for this file.

First, you open the file and as you can see, there are a lot of DNS traffic. Let’s look for HTTP traffic by performing a packet display filter,

tcp contains http

n00bz Level 13

Looks like there are quite a number of files related to honeypy that were transmitted during the tcpdump capture. You will also notice that the source and destination are both 127.0.0.1 / localhost. If that is the case, you cannot go to the same website to see what are the contents. However, you can export the objects. Simply go to “File > Export Objects > HTTP…” and you will see the following prompt,

n00bz Level 13

You can choose to save all files and perform further analysis. For level 13, you will only require “HoneyPY.PNG” file as the flag is right in the file, flag is “infosec_flagis_morepackets

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Wireshark GUI

More Compiled List of Sample PCAP Files for Practice

Wireshark GUI
Image Courtesy: Wikipedia/Wireshark

A quick follow up from one of my earlier post regarding a compiled list of sample PCAP files, here are more files for your practices on Wireshark features and techniques, of which some of them even have blog posts on the decrypting of the files. I hope they are helpful to you too.

Wireshark GUI

Compiled List of Sample PCAP Files for Practice

I was once tasked to perform some investigation on a packet capture (pcap) file to retrieve some information. Before I was given the task, I don’t even know anything about pcap file. Some simple research will tell you that it is a file that captures network traffic.

Interesting uh?

Wireshark GUI
Image Courtesy: Wikipedia/Wireshark

One of the best tool used in the industry for performing packet capturing would be no doubt, Wireshark. The tool itself has many features, which I am not going to do a step-by-step guide today. What I am going to share is actually a compiled list of sample pcap files.

You are right, a compiled list of sample pcap files consolidated by people in the community and listed together in the Wireshark Wiki. It is very useful to people learning Wireshark and want to perform some analysis or test out some features on good pcap files which has more variants of realistic network traffic, furthermore, the choices are vast and interesting (since you did not create it yourself, there are some element of surprise).

Check out the list: https://wiki.wireshark.org/SampleCaptures

n00bz Level 6

Hacking for n00bz – Level 6

For level 6, we were being asked to download “sharkfin.pcap” to hunt for the flag, which means that we should probably be prepared to analyse some network traffic. As hinted by the file name, “sharkfin”, let’s open the file using Wireshark and analyse it.

n00bz Level 6

Usually the first few steps that I would do when I open any pcap files in Wireshark is to take a quick glance at what protocols of network traffic were being captured, then look into the more popular ones such as HTTP or FTP.

In this case, I followed the UDP stream 0 and gotten the following string which is probably the flag,

696e666f7365635f666c616769735f736e6966666564

True enough, it is an encoded hexadecimal flag. Using Hackbar, I did a quick conversion and managed to get the flag for level 6, “infosec_flagis_sniffed”.

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz