Eazy Network Analysis

Solved by Jun Ming!

Acquired suspicious packet file. The packet seems to be downloaded from the Skynetwork's own servers. With the packet file, identify information specified below:

  1. Time(UTC+0) of successful login to FTP. 'format : YYMMDD-HH:MM:SS'

  2. Character string that was found on the way.

Flag Format : CDDC2023{md5(Time of successful login to FTP_found character string)}

The objective of the challenge was to analyze a packet capture file (pcap) obtained from Skynetwork's own servers to extract specific information. We successfully completed the challenge by filtering FTP data, examining Word documents, identifying a unique string, locating a successful login timestamp, and generating the flag using MD5 hashing.

Firing up our Wireshark, we filtered the pcap file to display only FTP data instead of all FTP packets. By doing so, we focused specifically on the data transferred over the FTP protocol, which was essential for identifying the successful login timestamp.

ftp-data filtered

Next, we followed the TCP stream to inspect the transferred files. We noticed multiple Word documents among the captured FTP data. There were FIVE (5) of them and we extracted them out.

Instructions on how to extract FTP data from Wireshark!

1. Filter FTP-DATA packets which you would like to export 2. Right-click, Follow > TCP Stream 3. Change Show and save data as Raw 4. click Save as... 5. Enter the file name and extension

TCP Stream

One of the Word documents had a different byte size compared to the others, specifically Confidential3.docx.

This discrepancy caught our attention, leading us to investigate further. Upon opening this particular Word document, we discovered additional text at the bottom, which turned out to be the character string required for the challenge.

character strings!

Returning to the pcap file, we used the Ctrl+F (Find) function to search for the phrase "Login successful." Since there should be only one instance of this event, we identified the timestamp associated with the successful login.

This timestamp was in UTC+0 and in the format YYMMDD-HH:MM:SS, as specified in the challenge description.

login success!

Remember to hash those values!

CDDC2023{md5(230428-15:59:40_PcApng_@N@ly5i5_15_3@zzzZZzzzy~!)}

Final Flag: CDDC2023{4d03a0a083a7c29c64ee5f9d24133677}

Challenge Files

Last updated