Wireshark Two¶
Given a .pcapng
file. Open it in wireshark and we see a lot of traffic.
Intuition¶
Looking at the packets, a lot of them had flag like strings in them such as picoCTF{a97d3ee943221888bd1157429e4a00ed5e9905a610e64664f7e36c7f5e0a4ef9}
which was a distraction. Then I saw that there were also a lot of DNS
quires to weird destinations involving red shrimp and herring
.
Method¶
Taking a deeper look at these DNS records, we see that it's all going to similar domains but the subdomain part is random characters that looks like base 64
. I tried to capture some of them but a lot was gibberish.
A further look revealed that only some DNS records are pointing to a different destination IP and by using wireshark filters, I was able to filter them out. By concatenating the subdomain name and decoding using b64
was able to recover flag.