CSAW Quals 2017: Missed Registration Writeup

Solved by sh!v and sherl0ck

In this challenge we had been given a tcpdump capture file (scap.pcap) and this was the accompanying text :

It’s registration day! These forms just seem longer and longer…

We loaded up the file in wireshark and found that the dump contained the details of a  registration form being submitted and acknowledged. Here is a packet that contains the form that is being submitted :


As you can see, the form contains 8 fields namely, ‘name’, ‘lname’, ‘school’, ‘major’, ‘c’, ‘s’, ‘text’ and ‘n’. The ‘n’ field contains a huge hex value and the text field contains some nonsensical data. We first thought that the text field might contain some sort of cipher text and the n field will be containing the key. After spending some time, without success, trying to figure out how to decrypt  the  text with the key, we pasted the contents of the text field in Google translate and found that it was Latin, thus eliminating the possibility of it being a cipertext. We then tried converting the value in ‘n’ field to ASCII without any success.

Now we again looked at the dump in wireshark and found out that some packets contained and additional field ‘x’ :


The ‘x’ field again contained some hex data. We converted the value in the first occurrence of x into ASCII and here we saw something interesting:



The header is BM which is the file signature of the BMP file format.

We quickly wrote a python script to extract the value in the x field (in whichever packet it’s present), convert it to string and concatenate it and save it in file. Here is the script :

import dpkt

pcap = dpkt.pcap.Reader(f)
count = 0

print "Creating the flag ...."

for ts,buf in pcap:
    if start != -1:

print " [*] Done."



Opening the file :


So the flag was :






Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: