Xmas-Rootme - (02) Wrapped Packet
25/12/2024Second day of the christmas calendar, a forensic chall.
- Author : Mika
- Description : The number of Santa's lunti has increased by 1337 this year, and there are a lot of them! Thanks to this, they've been able to give you some very, very nice gifts. If you can't find what you're looking for, you can even suggest gifts to him - maybe they'll make them in time!
Source files : sources
We get a huge pcap file. And from the challenge description we know there is some kind of data exfiltration.
The first things that came to mind are dns and icmp exfiltration based on the packets we have.
Looking at the dns traffic I saw nothing very suspicious (from what I know). So lets go to icmp traffic.
I extracted all the icmp data using this command
tshark -r chall.pcapng -Tfields -Y 'icmp' -e 'data.data' > icmp
We know have a bunch of question-answers, lets look at the unique lines
When playing a bit with them in cyber chef, here is what I could get :
The two last lines looks suspiciously like the end of a flag, now we just need to take the previous packets, look at the data inside and decode it until we get to the start of the flag. And after doing so, we get the flag ! 🔥