DEADFACE2021 Logo

Author(s):

  • TheZeal0t

Category:

  • Traffic Analysis

Points:

  • 150

File(s):

  • pcap-challenge-final.pcapng

Hint(s):

  • None

A Warning

Challenge:

Luciafer is being watched! Someone on the inside of Lytton Labs can see what she is doing and is sending her a message.

One of them says: "Stay away from Lytton Labs… you have been warned."

To find the flag, find the message. You'll know it when you see it. Submit the flag as flag{flag-goes-here}.

Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.

Solution:

Performing a string search for "you have been warned" in Wireshark identified a couple streams that were actually related to solving future challenges, but the search at least provided us a source IP address to pivot on:

We applied a filter of ip.src == 192.168.100.105 and the first stream in the results (stream #73225) contained a JPG named da-warning-message.jpg which was transferred over HTTP.

wget -O da-warning-message.jpg http://192.168.100.105/da-warning-message.jpg
--2021-08-22 17:57:03--  http://192.168.100.105/da-warning-message.jpg
Connecting to 192.168.100.105:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 578908 (565K) [image/jpeg]
Saving to: 'da-warning-message.jpg'

     0K .......... .......... .......... .......... ..........  8%  123M 0s
    50K .......... .......... .......... .......... .......... 17% 89.4M 0s
   100K .......... .......... .......... .......... .......... 26%  392M 0s
   150K .......... .......... .......... .......... .......... 35%  242M 0s
   200K .......... .......... .......... .......... .......... 44%  110M 0s
   250K .......... .......... .......... .......... .......... 53%  411M 0s
   300K .......... .......... .......... .......... .......... 61%  384M 0s
   350K .......... .......... .......... .......... .......... 70%  468M 0s
   400K .......... .......... .......... .......... .......... 79%  431M 0s
   450K .......... .......... .......... .......... .......... 88%  414M 0s
   500K .......... .......... .......... .......... .......... 97%  429M 0s
   550K .......... .....                                      100%  333M=0.002s

2021-08-22 17:57:03 (225 MB/s) - 'da-warning-message.jpg' saved [578908/578908]

We used Wireshark's File->Export Objects->HTTP option to export the JPG, which revealed the flag.

Published:

Updated:

Leave a comment