CTF's in Wireshark.. I'll give it up.. [closed]

asked 2024-10-30 07:16:18 +0000

s64470 gravatar image

updated 2024-11-02 05:03:42 +0000

Hi, I am quite new to Wireshark and I do need some help to find some CTF's in Wireshark. I have a link:.pcap file, and I followed the TCP Stream “Follow > TCP Stream.”, but what I only see in this stream are some weird ASCII signs. So, I am asking myself is there a way to make the CTF visible, or what am I doing wrong?

edit retag flag offensive reopen merge delete

Closed for the following reason question is not relevant or outdated by s64470
close date 2024-11-02 05:00:25.390910

Comments

There's 173 TCP streams in your capture file. You'll need to give us more info about your task.

grahamb gravatar imagegrahamb ( 2024-10-30 09:59:34 +0000 )edit

Well, the full the task is to find the IP-Address, user and FTP-Server password, the port number of the ftp server for some data upload including the Flag.

What I have found so far is

IP-Address: 192.168.122.207 User: ghost Password: pah6Ugh4thaeshi Server-Portno.: 21110

I only got some troubles in finding the Flag. I have no clue about where to search for this information. The example should look somewhat like ITF{bE1spIelFlAG}.

s64470 gravatar images64470 ( 2024-10-30 10:43:09 +0000 )edit

Ask yourself what does the payload data start with, and then search to see what type of file signature that might indicate the payload to be.

cmaynard gravatar imagecmaynard ( 2024-10-30 15:59:27 +0000 )edit

This will help: List of file signatures

Chuckc gravatar imageChuckc ( 2024-10-30 21:57:46 +0000 )edit

So do I need to look up for these values D4 C3 B2 A1 in the .pcap file? o_O?

s64470 gravatar images64470 ( 2024-10-31 02:32:28 +0000 )edit

That's the pcap file signature, not the file signature of the file that was downloaded via FTP. It might help to follow the TCP stream of the ftp-data.

cmaynard gravatar imagecmaynard ( 2024-10-31 03:54:29 +0000 )edit

Ok I followed the TCP stream of the ftp-data, but sorry I still do not really find the Flag signature there. Here's the image what I really see.

https://ibb.co/fHVYqQG

s64470 gravatar images64470 ( 2024-10-31 09:08:10 +0000 )edit

The screenshot looks to be the ftp control channel.
This line:
227 Entering Passive Mode (192,168,122,207,82,118).
Has the port for the data transfer (ftp-data): 82=0x52, 118=0x76. 0x5276 = 21110.

Try following the ftp-data stream and looking at the results in hex.

Chuckc gravatar imageChuckc ( 2024-10-31 12:31:27 +0000 )edit

@s64470, were you able to make any progress with the hints provided so far?

cmaynard gravatar imagecmaynard ( 2024-10-31 16:36:56 +0000 )edit

I give it up..

s64470 gravatar images64470 ( 2024-11-02 04:59:15 +0000 )edit

It's unfortunate that you decided to give up. My (our) hope was to help guide you along so you could ultimately solve the CTF yourself without giving away the answer. I (we) feel that it's better for you to "learn by doing" rather than be given the solution. Perhaps the solution was provided to you by now, but in case it wasn't and you still have some interest in solving this CTF, let us know how far you got and perhaps we can still guide you along. While you may not have solved this CTF in time, it doesn't mean you still can't learn something from it.

All the best. - Chris

cmaynard gravatar imagecmaynard ( 2024-11-04 01:35:08 +0000 )edit
see more comments