PicoCTF - shark on wire 2

Posted on 2024-01-31 | Post modified | In Security/Practice/PicoCTF/Misc/Flow |

PicoCTF - shark on wire 2

Recon

這一提出的很硬要，誰知道會把flag藏在這種地方，也沒有任何的提示，如果不是看¹根本不知道這題要表達甚麼，也可能是我太蔡

Simple Recon 首先做一些基本的recon，諸如dump files/string search/follow tcp or udp之類的，會發現UDP packets會有一些訊息出現，其中出現Start和一些a/b最後接著end
Set filter as udp.port==22 會發現其中所有的len都一樣，就只有source port不一樣，同樣都是5xxx開頭，而後三位數就是flag
Extract Flag 所以只要把所有的port擷取出來拚在一起，就可以拿到flag了

Exploit

import pyshark

capture = pyshark.FileCapture('./PicoCTF/Misc/shark on wire 2/capture.pcap', display_filter='udp.port == 22')

data = []
for pkt in capture:
    if pkt.udp.port != '5000':
        data.append(chr(int(pkt.udp.port[1:])))
print("".join(data))

Flag: picoCTF{p1LLf3r3d_data_v1a_st3g0}

Reference

PicoCTF 2019 - shark on wire 2 ↩

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/picoctf/misc/flow/2024/01/31/PicoCTF-shark-on-wire-2/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.