Dreaming of You

Challenge:

Someone doesn't understand networking traffic. Now I know their deepest crush. Can you find the flag from the PCAP file? Submit the flag as flag{text}.

Solution:

We began this challenge like most others involving a PCAP, using Zeek combined with our custom CTF-centric script:

$ zeek -Cr DeadfacePcap.pcapng ~/Tools/ctf_pcaps.zeek

Done analyzing, enjoy the CTF!

One thing we noticed right away was a telnet.log that was generated by our Zeek script, which is a "session replay" of the raw data analyzed from port 23 traffic. Reading through the log lead to the discovery of the flag:

1664574577.715396	CrBWKP3EjxFRvyeA0f	C:\\Users\\f.kreuger\\Documents>echo\x1b[4l\x1b[1D \x1b[1D\x1b[4l\x1b[1D \x1b[1D\x1b[4l\x1b[1D \x1b[1D\x1b[4l\x1b[1D \x1b[1Dtype 2023\x1b[30;30H\x1b[30;30H          \x1b[30;30Htype 2023Resolutions.txt\x1b[4l
1664574577.715396	CrBWKP3EjxFRvyeA0f	flag{longing_for_nancy}
1664574577.715396	CrBWKP3EjxFRvyeA0f	(empty)
1664574584.083357	CrBWKP3EjxFRvyeA0f	exit

The accepted flag was: flag{longing_for_nancy}