CSAW CTF 2014 – Forensics 200 – why not sftp?
This year I had a little bit of time to participate in NYU Poly’s Cyber Security Annual Capture the Flag event. I didn’t have much time to solve a ton of the challenges, but I did take a good look at 3 of them. Two of which I was able to solve. The third, I got everything but the very last step.
Here’s a writeup of those challenges.
Forensics 200 – why not sftp?
This challenge gives you a dump of some traffic in the .pcap format. I opened it up in wireshark and began to look. The question gives you a hint that this is going to be about FTP traffic, but if its sftp or ftp, we don’t know. Before I go digging into the traffic, I decided to just search all the packets for the string
flag. You do that by going to Edit -> Find Packet. Then Find by: String, Filter: flag, Search in: Packet bytes, and then hit FIND.
Believe it or not, that came up with a result from within the FTP traffic. Looking at the packets, you can see that a file named zip.zip is being uploaded to the server, and the raw data for that file contains a string flag.png. That lets us know that the flag is in this captured zip file.
All we need to do is pull that zip file out, and we’ve got the flag! A quick Google search for
extract ftp files from wireshark gives us an article teaching about how to pull ftp data out of wireshark. Basically we’re going to right click on our packet containing the string
flag.png, select RAW, click save as, and then save the file with the name
That’s it! Just extract the zip file and open up the flag.png file:
Support This Site
If my blog was helpful to you, then please consider donating to the Electronic Frontier Foundation as they do some really good stuff.