Monstrum ex Machina

Challenge:

Our person on the "inside" of Ghost Town was able to plant a packet sniffing device on Luciafer's computer. Based on our initial analysis, we know that she was attempting to hack a computer in Lytton Labs, and we have some idea of what she was doing, but we need a more in-depth analysis. This is where YOU come in.

We need YOU to help us analyze the packet capture. Look for relevant data to the potential attempted hack.

To gather some information on the victim, investigate the victim's computer activity. The "victim" was using a search engine to look up a name. Provide the name with standard capitalization: flag{Jerry Seinfeld}.

Download file
SHA1: 6c0caf366dae3e03bcbd7338de0030812536894c

NOTE: All of the packet capture challenges use this PCAP file.

Solution:

We began this challenge like all others involving a PCAP, with Zeek combined with a custom CTF-centric script:

$ zeek -Cr pcap-challenge-final.pcapng ~/Tools/ctf_pcaps.zeek

Given the clue that the traffic contains a search, we parsed Zeek's http log for the term "search" and identified the search in the last line of output:

$ cat http.log | zeek-cut host uri | grep -i search

zhidao.baidu.com	/search?ct=17&pn=0&tn=ikaslist&rn=10&lm=0&ie=utf-8&word="charles geschickter"

The accepted flag was, flag{Charles Geschickter}