Count Zero | Round 1 { Network }

Task write-up !

> Challenges list

  1. Packets Primer
  2. shark on wire 1
  3. Wireshark doo dooo do doo
  4. Easy101
  5. Filteration-01
  6. Wireshark twoo twooo two twoo
  7. ARP Storm
Note: These challenges from (PicoCTF, JISCTF, CyberTalents)


Challenge [1] | Packets Primer

Hint | Follow the stream
Flag format | picoCTF{some words here}

According to the hint, just follow the tcp stream & you will the flag:



To remove the space between each character & get the right flag, we can use cyberchef like that:


Flag: picoCTF{p4ck37_5h4rk_b9d53765}


Challenge [2] | Shark on wire 1

Hint | Follow follow follow follow
Flag format | picoCTF{some words here}

Again, hint is saying follow !! so we have a udp stream here.. lets follow it:



Nothing useful in the first stream, so let's check next streams:



I found the right flag after 5 streams ( in stream n. 6 )

Flag: picoCTF{StaT31355_636f6e6e}


Challenge [3] | Wireshark doo dooo do doo

Hint | They said that ROT13 cipher is simple & the Chef know it
Flag format | picoCTF{some words here}

First thing, we don't have a clear point to start... so I decided to check the exists protocols first:
Statistics > Protocol Hierarchy:


I noticed that TCP have 99.8% of packets:


So let's go to analyze TCP packets
Just add "tcp" filter to show only TCP packets, go to packet number 1 and follow tcp streams like that:


The first stream has no interesting data... it is just POST HTTP Request with some encrypted data about Kerberos (network protocol) :


Going through next streams we will get a rot13 data seems to be the flag in stream number 5 :


After decrypting it using Cyberchef You will get the flag:


Flag: picoCTF{p33kab00_1_s33_u_deadbeef}


Challenge [4] | Easy 101

Hint | It is the same challenge that we solved in fitst task in session 3, but the flag need a Chef
Our Chef rotated the flag with 13 & then encoded it by Base64
Flag format | JISCTF{some words here}

From the hint, I remember that we could solve this challenge by many ways such as (follow stream) or (export objects)  ... etc.
So, when exporting the http objects, I noticed that there is a file name encoded in base64 !!




Just 1 click on these data will bring us to the packet that contains the base 64 values:


You can get the value by (show packet bytes) like that:



After using cyberchef on it I got this rot13, so by decrypting it from Rot13 again I got the flag:




Flag: JISCTF{JUST_S1MPL3_PC4P_F1L3_4N4LYS1S}


Challenge [5] | Filteration-01

Hint | ICMP packets maybe useful, use a filter to display them
Flag format | JISCTF{some words here}

From the hint, adding "icmp" filter to show icmp traffic only:


As we know the flag format starts with JISCTF,  If we click on the first packet (Ping Request), We can notice that there is a "J" character in the packet bytes area

The second one which is (Ping reply) has a different syntax which contains "@" instead:


The 3rd one has the same syntax of the first packet but with "I" character
So, there is a 1 character of flag in every (Ping request) packet!

You can filter out (ping response) to decrease the number of the displayed packets and then follow packets 1 by 1 to get every character of the flag (OR) without filtering, you can get it also!
-You can use "icmp.type eq 8" or "icmp.type == 8" filters to show only ping request packets

The final flag with all characters will be:
Flag: JISCTF{M4LW4R3_3XF1LT3R4T10N_US1NG_1CMP_TTL}


Challenge [6] | Wireshark twoo twooo two twoo

Hint | Attackers can use Amazon servers maliciously, don't waste your time on Google DNS it is official
Flag format | picoCTF{some words here}

From the hint, we will deal with DNS packets so first thing I added "dns" filter, then I filterd out Google DNS because it is official (as hint said!!) (using "!(ip.addr == 8.8.8.8)" filter)

The Full filters will be like that: dns && !(ip.addr == 8.8.8.8)
After adding the 2 filters we will get only 42 displayed packets from 4831.. Amazing !!


as we see there are too many domains, but if you back to the hint you will see "Attackers can use Amazon servers" !! so by adding one more filter to show only packets that contains "amazon" with this syntax: && frame contains "amazon"

Note: The full filter will be dns && !(ip.addr == 8.8.8.8) && frame contains "amazon" & will display only 14 packets:


As we can see in the last image there are base64 data placed as subdomains, ignore the other packets which are "query response" and extract these values:
cGljb0NURntkbnNfM3hmMWxfZnR3X2RlYWRiZWVmfQ==

Just decode it from base64 and you will get the flag !

Flag: picoCTF{dns_3xf1l_ftw_deadbeef}


Challenge [7] | ARP Storm

Hint | An attacker in the network is trying to poison the arp table
Flag format | flag{some words here}

The given pcap file only contains ARP traffic, no (follow stream) or (export objects), there is just some information in info column that say "Uknown ARP opcode 0xvalue..."

If u noticed the packet bytes you will see this opcode in ASCII format which is "Z" for the first packet and "=" for the last packet !! so it seems to be Base64 !!




You can extract these values by each packet ... and then decode it with Cyberchef to get the flag.

Flag: flag{gr@tuit0us_0pcOde_1s_Alw@ys_A6uSed_t0_p01s0n}


Note: You can extract data from ARP Storm & Filteration-01 by using Tshark tool easly