🔬
CTFs
  • 🚩nitrozeus's CTF Writeups
  • Tutorial
    • Install Windows 10 VM on M1 Mac
  • My Notes
    • Capture-The-Flag
      • Windows Forensics
      • Memory Forensics
      • Base32, Base64
      • Steganography
      • Email Analysis
      • Malware Analysis
      • MD4, MD5 Cracking
      • Social Engineering
      • OSINT
      • Google Dorking
      • Reconnaissance
      • Port Scan (nmap)
  • 2023
    • 🧠BrainHack CDDC 2023
      • Gallery
      • Eazy Network Analysis
      • What the hell happened to the PC?!
      • Audio Steganography
  • 2022
    • 🐱Grey Cat The Flag 2022
      • Parcel
      • Memory Game (Part 1)
      • Too Fast
      • Entry
      • Ghost
      • Firmware
      • Image Upload
      • flappy-js
    • ⛵STANDCON 2022
      • I Sea You (Part 1)
      • Locate Me
      • I Sea You (Part 2)
      • Trolley Trolling
      • A New Gateway
      • Walks like a cat, barks like a dog
      • Shark in the Ocean
      • Atlan Safe P1
      • Gift from Russia
      • Asmuth Shares
      • Memedump
      • Warmup Forensics
    • 🦁STACK the Flags 2022
      • Finding Nyan
      • New Task!
      • Hit you with that
      • Cobalt Struck
      • PyRunner
Powered by GitBook
On this page
  1. 2023
  2. BrainHack CDDC 2023

Eazy Network Analysis

Solved by Jun Ming!

PreviousGalleryNextWhat the hell happened to the PC?!

Last updated 1 year ago

Acquired suspicious packet file. The packet seems to be downloaded from the Skynetwork's own servers. With the packet file, identify information specified below:

  1. Time(UTC+0) of successful login to FTP. 'format : YYMMDD-HH:MM:SS'

  2. Character string that was found on the way.

Flag Format : CDDC2023{md5(Time of successful login to FTP_found character string)}

The objective of the challenge was to analyze a packet capture file (pcap) obtained from Skynetwork's own servers to extract specific information. We successfully completed the challenge by filtering FTP data, examining Word documents, identifying a unique string, locating a successful login timestamp, and generating the flag using MD5 hashing.

Firing up our Wireshark, we filtered the pcap file to display only FTP data instead of all FTP packets. By doing so, we focused specifically on the data transferred over the FTP protocol, which was essential for identifying the successful login timestamp.

Next, we followed the TCP stream to inspect the transferred files. We noticed multiple Word documents among the captured FTP data. There were FIVE (5) of them and we extracted them out.

Instructions on how to extract FTP data from Wireshark!

1. Filter FTP-DATA packets which you would like to export 2. Right-click, Follow > TCP Stream 3. Change Show and save data as Raw 4. click Save as... 5. Enter the file name and extension

One of the Word documents had a different byte size compared to the others, specifically Confidential3.docx.

This discrepancy caught our attention, leading us to investigate further. Upon opening this particular Word document, we discovered additional text at the bottom, which turned out to be the character string required for the challenge.

Returning to the pcap file, we used the Ctrl+F (Find) function to search for the phrase "Login successful." Since there should be only one instance of this event, we identified the timestamp associated with the successful login.

This timestamp was in UTC+0 and in the format YYMMDD-HH:MM:SS, as specified in the challenge description.

Remember to hash those values!

CDDC2023{md5(230428-15:59:40_PcApng_@N@ly5i5_15_3@zzzZZzzzy~!)}

Final Flag: CDDC2023{4d03a0a083a7c29c64ee5f9d24133677}

Challenge Files

🧠
1MB
Eazy_Network_Analysis.zip
archive
ftp-data filtered
TCP Stream
character strings!
login success!