RingZer0team CTF - Challenge 44

Posted on Sat 24 June 2017 in Security

There are a bunch of fantastic Capture The Flag security challenges on RingZer0Team.com. I've been working through some of these for a wee while now, and with the New Zealand Cyber Security Challenge coming up again soon, I thought I'd get back into some of them.

Challenge 56 ("Hey Chuck where is the flag?", under the Forensic Challenges) started by only offering a .pcap file. I downloaded Wireshark and had a quick dig. The packet capture consisted of a brief browse of a "Chuck Norris Facts" website.

After quickly flicking through the pcap itself looking for low-hanging fruit, I used File -> Export Objects -> HTTP. This takes all the HTTP traffic, recombines the packets into files, and saves them.

Once I'd done that, I opened up the files and had a quick flick through. I checked the images for metadata etc but didn't find anything. However I did fine a picture of Chuck Norris, appearing to urge the reader to keep searching files -- in French.

When I didn't find anything super-obvious in the image contents, I hopped into Bash and just ran grep -i flag *. It quickly returned the flag, stored in a php file!

Nice and easy hunt, great way to finish the day.