CTF's in Wireshark.. I'll give it up.. [closed]
Hi, I am quite new to Wireshark and I do need some help to find some CTF's in Wireshark. I have a link:.pcap file, and I followed the TCP Stream “Follow > TCP Stream.”, but what I only see in this stream are some weird ASCII signs. So, I am asking myself is there a way to make the CTF visible, or what am I doing wrong?
There's 173 TCP streams in your capture file. You'll need to give us more info about your task.
Well, the full the task is to find the IP-Address, user and FTP-Server password, the port number of the ftp server for some data upload including the Flag.
What I have found so far is
IP-Address: 192.168.122.207 User: ghost Password: pah6Ugh4thaeshi Server-Portno.: 21110
I only got some troubles in finding the Flag. I have no clue about where to search for this information. The example should look somewhat like ITF{bE1spIelFlAG}.
Ask yourself what does the payload data start with, and then search to see what type of file signature that might indicate the payload to be.
This will help: List of file signatures
So do I need to look up for these values D4 C3 B2 A1 in the .pcap file? o_O?
That's the pcap file signature, not the file signature of the file that was downloaded via FTP. It might help to follow the TCP stream of the ftp-data.
Ok I followed the TCP stream of the ftp-data, but sorry I still do not really find the Flag signature there. Here's the image what I really see.
https://ibb.co/fHVYqQG
The screenshot looks to be the ftp control channel.
This line:
227 Entering Passive Mode (192,168,122,207,82,118).Has the port for the data transfer (ftp-data): 82=0x52, 118=0x76. 0x5276 = 21110.
Try following the
ftp-datastream and looking at the results in hex.@s64470, were you able to make any progress with the hints provided so far?