pcaps_or_it_didnt_happen

packet analysis

wireshark

networking

Competition

iCTF24

Author

Stijn

Date

Jan. 16, 2025

Your computer has been acting weirdly lately and you suspect that some malicious actors are targetting your system. You therefore decided to run a network capture to see what type of traffic is hitting your machine. We did some preliminary filtering of the traffic and suspect indeed some malicious traffic hitting your system. Can you identify the malicious packets to obtain the flag?

Hints

Try using tools like Wireshark to take an initial look at the traffic\nUse python to read in the pcap file an extract features.\nPerhaps you can do some anomaly detection on the traffic to discover interesting patterns?

Solution

We are given a pcap file with various tcp traffic. Looking down the file, we can see strange packets going to port 1337. ![](/media/writeup_images/iCTF24/pcaps_or_it_didnt_happen/2025-01-15-22-07-46_pcaps_or_it_didnt_happen_.png) After filtering for packets going to port 1337 to get all packets relating to the attack, I noticed strange characters at the end of each payload. ![](/media/writeup_images/iCTF24/pcaps_or_it_didnt_happen/2025-01-15-22-08-02_pcaps_or_it_didnt_happen_.png) ![](/media/writeup_images/iCTF24/pcaps_or_it_didnt_happen/2025-01-15-22-08-15_pcaps_or_it_didnt_happen_.png) After adding them all up, converting from base64 gives the flag. ![](/media/writeup_images/iCTF24/pcaps_or_it_didnt_happen/2025-01-15-22-08-31_pcaps_or_it_didnt_happen_.png)