Pcap Analysis 2

Forensic

Pcap Analysis 2

pcap-analysis-description

After reading the description we understood that, we need find for a exe file and a bin file. After finding the files from the given pcap file we need to download both of the file. And the hint given to us is convert raw format before downloading both of the file, then calculate the hash in md5.

So without wasting any time let’s get started.

Open the pcap file in wireshark. After opening the pcap file the process of finding exe and bin file is simple. Click on the search icon called Find a packet or you can press ctrl + f.

After clicking this icon you’ll see a search bar appearing under the display filter bar. In the Find a packet bar type exe to find the exe file.

Hit enter and immediately you will find an exe file called lytton-crypt.exe under TOOLS folder. But hold on the file showed first is not the actual file cause it’s a requested file.

We need to find responsed file which is under the requested file.

Now do the same process to find the bin file from the pcap file. After finding both of the files, you have to download those files in raw format. So let’s do this.

To download those files right click on the packet, then hover (put the cursor) on follow, after that click on TCP Stream.

You may see a TCP Stream popup window.

Now convert the ascii data to raw format. To do this click on ASCII in “Show data as” section. Then select raw.

When you select raw the ascii characters will convert as raw (binary) format. See the picture below.

Do the same process to both exe and bin file and save the file by clicking on Save as button. Select directory to save the binary file and name the file anything you want. After downloading both exe and bin file now it’s time to calculate the md5 hash.

To calculate the md5 hash in your linux machine there is a tool called md5sum. Use md5sum tool to calculate the md5 hash.

Single command:-

  1. md5sum win.exe
  2. md5sum lin.bin

Multiple command:-  md5sum win.exe && md5sum lin.bin

Wrap the 2 md5 hash in OFPPT-CTF{} flag format with pipe ( | ).

Flag:-  OFPPT-CTF{9cb9b11484369b95ce35904c691a5b28|4da8e81ee5b08777871e347a6b296953}

Want more OFPPT-CTF writeups click on this link:- https://secureward.com/category/ofpptctf/

Leave a Comment