CTF's in Wireshark.. I'll give it up.. [closed]

asked 2024-10-30 07:16:18 +0000

s64470 gravatar image

updated 2024-11-02 05:03:42 +0000

Hi, I am quite new to Wireshark and I do need some help to find some CTF's in Wireshark. I have a link:.pcap file, and I followed the TCP Stream “Follow > TCP Stream.”, but what I only see in this stream are some weird ASCII signs. So, I am asking myself is there a way to make the CTF visible, or what am I doing wrong?

edit retag flag offensive reopen merge delete

Closed for the following reason question is not relevant or outdated by s64470
close date 2024-11-02 05:00:25.390910

Comments

There's 173 TCP streams in your capture file. You'll need to give us more info about your task.

grahamb gravatar imagegrahamb ( 2024-10-30 09:59:34 +0000 )edit

Well, the full the task is to find the IP-Address, user and FTP-Server password, the port number of the ftp server for some data upload including the Flag.

What I have found so far is

IP-Address: 192.168.122.207 User: ghost Password: pah6Ugh4thaeshi Server-Portno.: 21110

I only got some troubles in finding the Flag. I have no clue about where to search for this information. The example should look somewhat like ITF{bE1spIelFlAG}.

s64470 gravatar images64470 ( 2024-10-30 10:43:09 +0000 )edit

Ask yourself what does the payload data start with, and then search to see what type of file signature that might indicate the payload to be.

cmaynard gravatar imagecmaynard ( 2024-10-30 15:59:27 +0000 )edit

This will help: List of file signatures

Chuckc gravatar imageChuckc ( 2024-10-30 21:57:46 +0000 )edit

So do I need to look up for these values D4 C3 B2 A1 in the .pcap file? o_O?

s64470 gravatar images64470 ( 2024-10-31 02:32:28 +0000 )edit

That's the pcap file signature, not the file signature of the file that was downloaded via FTP. It might help to follow the TCP stream of the ftp-data.

cmaynard gravatar imagecmaynard ( 2024-10-31 03:54:29 +0000 )edit

Ok I followed the TCP stream of the ftp-data, but sorry I still do not really find the Flag signature there. Here's the image what I really see.

https://ibb.co/fHVYqQG

s64470 gravatar images64470 ( 2024-10-31 09:08:10 +0000 )edit