Fornsics 150 Missed Registration by L4FR1

Challange :

Description of chall : It's registration day! These forms just seem longer and longer...

                                     UPDATE 10:44 Eastern: New pcap that should be a bit easier to work with.

                                     UPDATE 2:58 Eastern: We're regenerating due to flag leaks, submissions disabled until then. Please be patient.

                                     Update 3:31 Eastern: Updated pcap with new flag after leak. Please re-run your solutions on the file!

cap.pcap

Analyse :

we have a pcap file , we open it with wireshark :

we see a bunch of ARP , NBNS, LLMNR , HTTP , TCP packets .

we try to search for the string "flag" we found nothing .

when use the option TCP follow : Analyze -> Follow -> TCP Stream:

we found this :

when we go to the next tcpstream we found that there is two type of Accepte-Encoding , the first one is "identity" and the second one is "gzip, deflate" and we see that there to values a one is "x" and the other "n" .

Solution :

we take all what after the value x= ,wich is an hex, in every flux , and we put them all togther in order , and then run the following command :echo 'the hex you found' | xxd -r -p > flag.bmp.

we get and image that contains the flag ;

FLAG{HElp_Th3_BANANASCRIPt-guy_15_thr0wing_m0nkeys@me}

Note : couldnt upload the picture , a bad quality.

Fornsics-150-Missed Registration

Fornsics 150 Missed Registration by L4FR1

Challange :

Analyse :

Solution :

results matching ""

No results matching ""