Description

Download this packet capture and find the flag.

Hint : All we know is that this packet capture includes a chat conversation and a file transfer.

Files

• capture.flag.pcap

Solution

Recon

• We have a pcap file so we're definitely going to use wireshark

Execution

I went ahead and opened the packet capture with wireshark and got this :

First idea is to follow the TCP stream so I went to Analyze > Follow > TCP Stream :

We can see that this stream contains a conversation, it looks like they're transferring a file but the receiver doesn't know how to decode it so the sender provides a command : openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123

des3 and a password ? that's definitely a salted password we're looking for ! let's keep looking !

The third TCP stream revealed this :

Bingo ! now in order to extract the file we need to convert it to raw data :

We hit save as and we give it the name packet.des3 :

Now from the terminal we run this modified command : openssl des3 -d -salt -in packet.des3 -out output.txt -k supersecretpassword123

┌─[not1cyyy@0x45] - [~/Desktop/picoCTF/eavesdrop] - [sam. avril 16, 16:28]
└─[$] <> openssl des3 -d -salt -in packet.des3 -out output.txt -k supersecretpassword123
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

This command results in an output file called output.txt, we cat this file and voila !

Flag

picoCTF{nc_73115_411_77b05957}