Solved by sh!v and sherl0ck
In this challenge we had been given a tcpdump capture file (scap.pcap) and this was the accompanying text :
It’s registration day! These forms just seem longer and longer…
We loaded up the file in wireshark and found that the dump contained the details of a registration form being submitted and acknowledged. Here is a packet that contains the form that is being submitted :
As you can see, the form contains 8 fields namely, ‘name’, ‘lname’, ‘school’, ‘major’, ‘c’, ‘s’, ‘text’ and ‘n’. The ‘n’ field contains a huge hex value and the text field contains some nonsensical data. We first thought that the text field might contain some sort of cipher text and the n field will be containing the key. After spending some time, without success, trying to figure out how to decrypt the text with the key, we pasted the contents of the text field in Google translate and found that it was Latin, thus eliminating the possibility of it being a cipertext. We then tried converting the value in ‘n’ field to ASCII without any success.
Now we again looked at the dump in wireshark and found out that some packets contained and additional field ‘x’ :
The ‘x’ field again contained some hex data. We converted the value in the first occurrence of x into ASCII and here we saw something interesting:
BM�B6(�$���
�
��
“�!�#)�$’�*0�,2�39�”(+�%-1�’58�
The header is BM which is the file signature of the BMP file format.
We quickly wrote a python script to extract the value in the x field (in whichever packet it’s present), convert it to string and concatenate it and save it in file. Here is the script :
import dpkt
f=open("./scap.pcap")
pcap = dpkt.pcap.Reader(f)
outf=open('flag','w')
count = 0
out=''
print "Creating the flag ...."
for ts,buf in pcap:
count=count+1
start=buf.find('&x=')
n=''
if start != -1:
out=out+buf[start+3:].decode('hex')
print " [*] Done."
outf.write(out)
Opening the file :
So the flag was :
FLAG{HElp_Th3_BANANASCRIPt-guy_15_thr0wing_m0nkeys@me}
bi0s 
Leave a Reply