Tuesday, October 2, 2012

CSAW CTF Quals: Networking 400

This challenge was so much simpler than we tried to make it. We ended up solving all but this challenge in the first 19 hours of the competition (minus the extra few challenges they put up at the 24 hour point) and we spent the rest of the competition mangling this pcap in every which way. We wrote a script which corrected all of the CRC's in the pcap so that it was readable by wireshark and tshark. We took the data and started messing with all of the voltages and such. But all of this is completely barking up the wrong tree.

It turns out that the pcap given to us is a copy of one on the wireshark website with all of the dates changed (which broke the checksums). The link is provided below.

Wireshark pcap

At this point we started looking at all of the differences between the files. We tried looking at all the hex values, tried xoring things, but none of it worked. Finally, someone on our team noticed that, aside from the final packet from 1970, every single other packet was from one of two dates, the 21st or 22nd of december. If you take every date from the pcap in order and assign a 0 or a 1 based on the date of the packet, then you end up with an ASCII string that is in binary. Just plug it into a translator, truncate the result to 128 characters (because the website told us to) and submit! That is all there is to it....

  -- suntzu_II

No comments:

Post a Comment