Out of curiosity I also exported the image using the Export Objects function, which would also have shown the filenames.įlag 03 – Someone needs a change (400 points) There are two GET requests referring to JPEG files, entering the first one gives our flag. I’m not familiar with how Slack operates on the network level, but checking for HTTP requests containing “ slack” in the host header field seemed a sensible start. What is the name of the photo that is viewed in slack? This filter only shows us packets specifically containing the HTTP request headers, but by selecting the Follow HTTP Stream option ( Stream #27) we can more easily read the exchange between the client and server, including the flag inserted into the server response headers. Wireshark allows us to decrypt TLS traffic by supplying the Pre-Master Secret helpfully provided in the secret-sauce.txt file that was included with the challenge PCAPs.Īfter decrypting the traffic we can filter for traffic to the web server in question: http.host = "" What has been added to web interaction with ?īefore we can start answering questions we need to decrypt the encrypted traffic. This write-up covers the questions relating to the https PCAP file. As the questions were split over multiple PCAP files ( shell, smb, dhcp, network, dns, and https), I have decided to split my write-ups by PCAP for ease of reading. This series of write-ups covers the network forensics section. In May 2020 the Champlain College Digital Forensics Association, in collaboration with the Champlain Cyber Security Club, released their Spring 2020 DFIR CTF including Windows, MacOS, and Apple iOS images, as well as network traffic analysis, OSINT, and reversing challenges.
0 kommentar(er)
