PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Forensics

Trivial Flag Transfer Protocol

PreviousSurfing the WavesNexttunn3l v1s10n

Last updated 2 years ago

Was this helpful?

Problem

Figure out how they moved the flag.

Solution

  1. Open the packet capture file in wireshark. Go to File > Export Objects > TFTP.

  2. If we preview the instructions document we find: GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA. Putting this into decodes it to t ftp doesnt encrypt our traffic so we must disguise our flag transfer figure out away to hide the flag and i will check back for the plan. The encoding is simply ROT13 so is overkill. You can use instead.

  3. The plan document says VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF, which decodes to i used the program and hid it with due diligence check out the photos.

  4. Save the program.deb file. Let's see if we can use it to decode the images. The program.deb is actually steghide (this is easily seen if you extract it), so install it if you don't already have it installed with sudo dpkg -i program.deb.

  5. The hint from the plan document suggests that DUEDILIGENCE (uppercase because the encoded text is uppercase) is the password.

  6. We can use steghide on every image included in the packet capture file. The flag is hidden in the last image picture3.bmp. So run steghide extract -sf picture3.bmp -p DUEDILIGENCE and cat flag.txt to get the flag.

Flag

picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}

quipqiup
quipqiup
cryptii