PicoCTF Chronicles: PcapPoisoning
You may be asking yourself, “how many of these packet capture CTFs is he going to post?”
The answer is Yes.
Anyway, this one is called PcapPoisoning.
Seems simple enough, a high percentage of solves but not the best approval rating. Let’s dive in.
Yet again, this is legitimately a pcap file, so that’s some good news. Let’s pop her open with Wireshark and see what we can see.
Well, that’s a first for these activities; the very first entry is a malformed IPv4 packet. For now, I’m going to stick to what I know and follow that DNS stream we see on line 5.
It seems like that’s the correct move; what does it mean by close, though?
Oh, it meant I just had to scroll to the end of all those FTP-DATA packets to get to the next TCP stream. There’s the flag. All I have to do is copy this packet as Hex + ASCII from Wireshark, paste it into Sublime, and remove the little bits of hex before the flag ASCII.
Got it!
I’m not sure why this one doesn’t have a very high approval rating. All you have to do is scroll through the packets and just, kind of, look at them.