PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Forensics

Wireshark twoo twooo two twoo...

Problem

Can you find the flag? shark2.pcapng.

  • shark2.pcapng

Solution

  1. Upon initial inspection, there seem to be a lot of requests to a /flag endpoint. Each request shows a different flag so these must be a distraction.

  2. After searching through the file I noticed many DNS requests for various subdomains of reddshrimpandherring.com. This looks like the suspicious traffic that one of the challenge hints refers to.

  3. A lot of the DNS queries have a destination of 8.8.8.8. However, a subset have a destination for 18.217.1.57.

  4. We can apply the filter dns and ip.dst==18.217.1.57 to only see DNS requests to this IP address. If we take the subdomains of reddshrimpandherring.com and append them in order we get: cGljb0NURntkbnNfM3hmMWxfZnR3X2RlYWRiZWVmfQ==

  5. Decoding the above string as base64 gives us the flag.

  6. Alternatively, this file can be analyzed using apackets.com. Just upload the file, go to the DNS page, and scroll down to see the requests neatly organized.

Flag

picoCTF{dns_3xf1l_ftw_deadbeef}

PreviousWireshark doo dooo do doo...NextARMssembly 0

Last updated 2 years ago

Was this helpful?