Sinn3rman Posted March 7, 2016 Share Posted March 7, 2016 Hey guys, I am struggling with this basic wireshark .cap I am supposed to find a flag in it somewhere but im really missing something. I have only been able to find an email from \ to and subject fields. I can see there was an image uploaded but cannot pull it out and its significance really is unknown. 2x tuna sandwiches, choc milk and a google of tls1.0 and I am still banging my head on a brick wall. can anyone help, not nessesarly with the answer but perhaps some hint on where im going wrong? very new to wireshark and all this in general. https://mega.nz/#!jUNU0LhQ!jRBnuJ97DwLczhJr7wrfZsYNw8Z02NSJBvr1nEJ8SSQ Quote Link to comment Share on other sites More sharing options...
phpsystems Posted March 7, 2016 Share Posted March 7, 2016 Do you have to use Wireshark? Would Network miner not be more beneficial for this? Quote Link to comment Share on other sites More sharing options...
Sinn3rman Posted March 7, 2016 Author Share Posted March 7, 2016 Thanks, didn't know of that tool to be honest, now im having a read :) Quote Link to comment Share on other sites More sharing options...
BanjoFox Posted March 8, 2016 Share Posted March 8, 2016 Ctrl+F > Change dropdown to "String" (left of the search box) > Search for interesting keywords like: username, password, login, etc... Do you know what kind of info the flag is? Google> Wireshark display filters Banjo Quote Link to comment Share on other sites More sharing options...
Sinn3rman Posted March 8, 2016 Author Share Posted March 8, 2016 (edited) So I have found the key https://mega.nz/#!uRdTiIzS!ellNGiPWMtxLgOGnRMAdJL4U7hwQU8djp4oF63dytm4 its a JPG file that is corrupt, so for the first time ever I am playing with hex. I have confirmed at least the file is indeed a jpg but the header does not seem to be incorrect as I suspected its set to FF D8 FF The end of the file is marked FF D9 which my reading would suggest that is all in order. What I did notice is that the header appears again a few lines later but I no nothing of what I am looking at really.. so I cut this garbage out for lack of a better term and still no change.. :/ JFIF JFIF Version 1.01 Resolution 96 pixels/inch File — basic information derived from the file. File Type JPEG File Type Extension jpg Image Size 1,172 × 621 MIME Type image/jpeg Image Width 1,920 Image Height 1,200 Encoding Process Baseline DCT, Huffman coding Bits Per Sample 8 Color Components 3 File Size 695 kB Y Cb Cr Sub Sampling YCbCr4:2:0 (2 2) CompositeThis block of data is computed based upon other items. Some of it may be wildly incorrect, especially if the image has been resized. Megapixels 0.728 Edited March 8, 2016 by Sinn3rman Quote Link to comment Share on other sites More sharing options...
BanjoFox Posted March 9, 2016 Share Posted March 9, 2016 (edited) Maybe steganography? http://security.stackexchange.com/questions/2144/detecting-steganography-in-images Addendum: Depending on what kind of CTF Steganography MIGHT be out of scope ;D Edited March 9, 2016 by BanjoFox Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.