ASIS-CTF Finals 2014 - TicTac (200pts) writeup
The challenge description was: Find flag in [this] file:
Let's see what we have here:
mrt:~/asis/tictac$ file tictac_4c56077190984fde63900b3ba14d11dd
tictac_4c56077190984fde63900b3ba14d11dd: XZ compressed data
mrt:~/asis/tictac$ cp tictac_4c56077190984fde63900b3ba14d11dd tictac.xz
mrt:~/asis/tictac$ unxz tictac.xz
mrt:~/asis/tictac$ file tictac
tictac: pcap-ng capture file - version 1.0
The pcap-ng file format is a new pcap format, we can open it with Wireshark 1.99 (dev release) and this time no patching like in the capsule challenge:
We have this huge list of PING request in the traffic, looking further down we see something more interesting:
IPv6 hop-by-hop option (0) and in the data something looking like hexadecimal values:
mrt:~/asis/tictac$ echo -e "\x70\x69\x63\x6b\x20\x6d\x65\x3a\x20\x49\x53"
pick me: IS
Could be a part of the flag (ASIS_), let's search for 7069636b206d653a20 (pick me: ) in the taffic:
0000 78 54 2e 73 d3 0e 60 33 4b 08 0a b0 08 00 45 00 xT.s..`3 K.....E.
0010 00 32 00 01 00 00 c8 01 95 04 c0 a8 6e 02 c0 a8 .2...... ....n...
0020 6e 72 08 00 b0 41 00 00 00 00 37 30 36 39 36 33 nr...A.. ..706963
0030 36 62 32 30 36 64 36 35 33 61 32 30 34 31 35 33 6b206d65 3a204153
0000 60 33 4b 08 0a b0 78 54 2e 73 d3 0e 08 00 45 00 `3K...xT .s....E.
0010 00 32 61 39 00 00 40 01 bb cc c0 a8 6e 72 c0 a8 .2a9..@. ....nr..
0020 6e 02 00 00 b8 41 00 00 00 00 37 30 36 39 36 33 n....A.. ..706963
0030 36 62 32 30 36 64 36 35 33 61 32 30 34 31 35 33 6b206d65 3a204153
0000 78 54 2e 73 d3 0e 60 33 4b 08 0a b0 08 00 45 00 xT.s..`3 K.....E.
0010 00 36 00 01 00 00 c8 00 95 01 c0 a8 6e 02 c0 a8 .6...... ....n...
0020 6e 72 00 00 00 00 00 00 00 00 00 00 00 00 37 30 nr...... ......70
0030 36 39 36 33 36 62 32 30 36 64 36 35 33 61 32 30 69636b20 6d653a20
0040 34 39 35 33 4953
...
After gathering all the chunks of the flag we end with the following list:
pick me: AS
pick me: IS
pick me: _6
pick me: d5
pick me: 4a
pick me: 67
pick me: 65
pick me: 9e
pick me: 45
pick me: ed
pick me: be
pick me: 63
pick me: bb
pick me: f9
pick me: 09
pick me: e6
pick me: b1
pick me: 83
pick me: a
We got our flag:
ASIS_6d54a67659e45edbe63bbf909e6b183a