Thursday, February 27, 2014

Codegate CTF 2014 - Weirdshark - Forensics 150 Write-up

Here is our file : http://58.229.183.26/files/weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7

Upon trying to open with wireshark we got the error :
That was obvious.

Let's try opening with tcpdump to see what happens :

There is something wrong with the file.

Based on the error massage of wireshark we searched what EPB is.
It was the block that transmitted information lies in.According to wireshark's error we assumed there was something wrong with packet's epb headers but not the information itself.

To fix headers we used online pcap fixer : http://f00l.de/hacking/pcapfix.php.It corrected the error that EPB data exceeds the packet length.

Opening the repaired file via wireshark caused another error:


It seems that fixer changed cap len to 64 but our packets' len is 62.So we filled the packets with 0s to achieve 64 bit packets.


Voila!We can read the packets with wireshark.

and here is the flag.



and here is the one of other files we extracted from pcap file.We think these guys are the builders of this challenge.



1 comment :