Trivial Flag Transfer Protocol
Last updated
Was this helpful?
Last updated
Was this helpful?
Figure out how they moved the flag.
Open the packet capture file in wireshark. Go to File > Export Objects > TFTP.
If we preview the instructions
document we find: GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA
. Putting this into decodes it to t ftp doesnt encrypt our traffic so we must disguise our flag transfer figure out away to hide the flag and i will check back for the plan
. The encoding is simply ROT13 so is overkill. You can use instead.
The plan
document says VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF
, which decodes to i used the program and hid it with due diligence check out the photos
.
Save the program.deb
file. Let's see if we can use it to decode the images. The program.deb
is actually steghide
(this is easily seen if you extract it), so install it if you don't already have it installed with sudo dpkg -i program.deb
.
The hint from the plan
document suggests that DUEDILIGENCE
(uppercase because the encoded text is uppercase) is the password.
We can use steghide
on every image included in the packet capture file. The flag is hidden in the last image picture3.bmp
. So run steghide extract -sf picture3.bmp -p DUEDILIGENCE
and cat flag.txt
to get the flag.
picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}