This was one of the Interesting and definitely the most time consuming Ctf challenge that I have played .We are given a pcap file named stego.pcap .We opened the pcap file in Wireshark packet Analyser.
In packet number four we can find that there is an HTTP object called message.png
Hence this image could be obtained by exporting the HTTP objects from wireshark.
After exporting the objects we will get a png image of a stegosaurus.
Since our challenge is a steganographic challenge and also this image is that of a stegosaurus we believed that this image surely contained the flag.Our belief was again strengthened by a timely clue by the admin saying that the clue is inside the image name itself.”A cute stegosaurus” we tried many hours to get any kind of flag from the image but all our efforts were in vain.Finally we understood that the image does not contain anything hence we resumed staring at the pcap file.
When we asked this query to the admin they again responded by saying “The clue is in the image” we now understood that the clue was not stegosaurus hence this will be “A cute” but we did not know how to find anything based on cute in wireshark.After sometime we came up with the answer that it was not “A-cute ” but it is Acute.So Acute had something to do with the plan. We tried searching the wireshark for any fields relating to acute but there was no fields in wireshark that had a name acute.
After some time the admins released another clue saying to look on TCP flags. That’s when everything changed.
On looking at the tcp flags we can find various bit fields Reserved ,Congestion Window Reduced and other bits, but still there was nothing related to acute.Actually there was,If one look closely we can find that the “urgent” is actually a synonym of acute so the flag was related to the urgent bit.So we checked the values in the corresponding urgent pointer .If we parce through the pcap file we can find that for the packets of length we find that the value of the urgent pointer is not zero.Hence we started from the first looking at the ASCII values of the urgent pointer and fortunately while parcing through the first few packets we got the flag :
Yes for hours we thought It was in the pictures:)
All our team mates enjoyed a lot playing the ctf. A good ctf and thank you all the admins for providing good hints without it we would not be able to solve the problem