CSAW CTF 2014 – Forensics 200 – why not sftp?

This year I had a little bit of time to participate in NYU Poly’s Cyber Security Annual Capture the Flag event. I didn’t have much time to solve a ton of the challenges, but I did take a good look at 3 of them. Two of which I was able to solve. The third, I got everything but the very last step.

Here’s a writeup of those challenges.

Forensics 200 – why not sftp?

why not sftp?

This challenge gives you a dump of some traffic in the .pcap format. I opened it up in wireshark and began to look. The question gives you a hint that this is going to be about FTP traffic, but if its sftp or ftp, we don’t know. Before I go digging into the traffic, I decided to just search all the packets for the string flag. You do that by going to Edit -> Find Packet. Then Find by: String, Filter: flag, Search in: Packet bytes, and then hit FIND.

Search for Flag String

Believe it or not, that came up with a result from within the FTP traffic. Looking at the packets, you can see that a file named zip.zip is being uploaded to the server, and the raw data for that file contains a string flag.png. That lets us know that the flag is in this captured zip file.

Flag PNG file found in FTP transfer

All we need to do is pull that zip file out, and we’ve got the flag! A quick Google search for extract ftp files from wireshark gives us an article teaching about how to pull ftp data out of wireshark. Basically we’re going to right click on our packet containing the string flag.png, select RAW, click save as, and then save the file with the name zip.zip.

Follow the TCP stream and save it as zip.zip

That’s it! Just extract the zip file and open up the flag.png file:

flag{91e02cd2b8621d0c05197f645668c5c4}

Game Over.

CSAW 2014 - Forensics 200 - FLAG