Another day, another challenge.
Today’s blog post we will solving the “Special Agent User” challenge in the PicoCTF.
Let’s get started.
Clicking on the challenge we see:
We have another pcap (packet capture file) and we need to find the User Agent. OK. Sounds plausible. Let’s look at the hints.
There’s a link that discuss more about user-agents. Let’s go to that link.
Opening that link we see the following:
The web page explains the different components of the User-String. This will be useful.
Opening the packet capture file we notice the usual stuff UDP, and ICMP packets. And like with the first “Digital Camouflage” challenge we can ignore this.
User-Agent strings are found in HTTP requests. We need to look at packet captures for just HTTP requests.
Doing this we see a packet that’s piqued our interest…
On packet 80 (GET / HTTP/1.1) we’ll do a right click, Follow, HTTP stream.
Doing this we have the following:
Looking at the last entry in the user agent, we can see that the packet is using Firefox 25. Entering that as the flag, we’ve acquired 50 points!
Another day,. another challenge…
Today’s challenge will be on the InfoSec Institute CTF Challenge #6.
See scenario below:
Doing a page source we see the following:
We see that there’s a pcap file if we select yes.
Opening Wireshark (which can be downloaded HERE)
We see the following:
Wireshark is a program that is used to analyze network traffic. Most of the traffic in this file can be ignored as there is a lot of noise that is being displayed.
Looking at the first packet (UDP) we see the following:
We noticed there are a bunch of letters… possibly this is hexadecimal encoding?
Going to Google and searching for “hexadecimal decoding” we see the following link as the first result.
Clicking on the link and typing in the encoding we get the following:
We found the flag!
- Download Wireshark!
- Inspect the packets, and pay attention to those that stand out. Usually the suspicious packets hold clues!
- These clues won’t give us the pot of gold on the first try. Most of the data will be obscured. So we will need to encode or decode the data
- Once we encode or decode usually the data will be there!
FYI – thenewboston on Youtube has a good beginner tutorial on Wireshark. Which can be found HERE.