 Hello everybody. My name is John Hammond. We're looking at Pico CTF 2017 moving into the forensics category and level one here So the first challenge is a 50-point challenge. So we jump off big Digital camouflage. Let's check out this challenge. We need to gain access to some routers Let's try and see if we can find the password in the captured network data I don't know why I put that inflection in there. Totally not as necessary It looks like someone logged in with their password earlier Where would log in be and located in a network capture if you think you found the flag doesn't work? Consider the data might be encrypted. Okay, so data dot pcap. We can go ahead and download that I'm gonna have to copy link address and do some W get magic because people yell at me for that So let's make a directory digital camouflage Sweet if you haven't used W get before it will just download stuff for you If you give it a link it will go ahead and create that file after it gets it from a web page So now we have data dot pcap if you haven't seen a pcap file before it is a archive of packet captures It is it is a packet capture An archive of package pack packets, whatever Wire shark or TCP shark teat. Sorry t-shark TCP dump another other cool programs will allow you to look at these things Look at these packets and these packets are like digital representations of communication between Things I was gonna say stuff, but I don't know if that's between stuff. Yeah, whatever. I'm really bad at videos today Computers talk to each other and that happens through packets and different kinds of protocols So you can take advantage of that and look through it and stuff called a wire shark And if you're on Linux, you should be able to just run pseudo apt install wire shark If you're only bunch you anyway using apt as your package manager, you can do that So we'll ask you if your password blah blah blah because you need to be root and Once it's installed you can open up wire shark And if you want to give it an argument doing it from the command line You can open that file that way or use your GUI and just wire shark it up. So We can open that file Digital camouflage open it up and in wire shark. We have our we were greeted by by three pains My three vertical segments here up on the bottom up on the bottom down on the bottom is the like Raw dump of the packet that we're looking at on the left hand side You see it in hex and on the right side over here You see ASCII so hex of those hexadecimal numbers here like 0 through 9 and a through f like we've seen before and ASCII will have hopefully like actual English once it's converted to like ASCII text Depending on whether or not actually contains that in the package in the packet I don't know. I keep calling it package my bad You can look at individual like headers or specific segments of information that are specified in the Specification of a packet to have this specific meaning like okay Maybe this number of bytes represents the version number You can see it highlighted down there in the actual like raw dump and you can also see these things noted in that Specific frame category section up on the top you have a listing of all of the different packets And they're displayed typically in different color depending on the protocol or what actually happened with them So you can see HTTP and that's noted in green And you can see okay there's some English words down there that you actually can follow through with and HTTP has a lot of information typically because that is the communication protocol between Like websites right hypertext transfer protocol So that's how you're accessing web pages and talking to servers on the internet websites So when you go to a web page you get a page just like we did with W get you're getting information, etc So if we're trying to find a password It's probably not going to be all the in these destination and reachable port things that are broken up or UDP things That don't have anything interesting in them, etc We probably want to see things in Like actual HTTP because you can see communication. It's going through there However looking at these packets Through this raw dump isn't very easy like it's cut up in that small Super tiny column there So if you have a packet that you want to examine and look more at you can right click it in the top pane and Scroll down to follow and you can typically follow the TCP stream or the HTTP stream or whatever like kind of protocol You're looking at here. I'll click TCP stream and it will show okay Here's the raw information that's going through the HTTP protocol to be have information posted to a page on a website in our case whatever IP address this is and It talks about like okay What browser are we using what are the other headers that come along with it? So like the user agent are we using Firefox Mozilla Firefox, right? Etc other hosts that we're looking at other headers that come with it and We'll get a response. You can see down below the red is the client and the blue is the server kind of denoted in Wire shark here so there are variables being posted to this page and it says the user ID is Stevens J and password I'm assuming PSW RD is equal to all of this stuff, but there's a Percent 3d percent 3d we could try and submit this as our flag But we will quickly be greeted by the fact that that is not the case paste it in no so What we're seeing here is a URL encoding because you can see 3d that looks like hex, right? And it occurs twice in the percent signs there So there's percent encoding when you're trying to include special characters going through HTTP Going through that protocol across the web you can Google that stuff if you want like URL encoding and it will explain to you Okay, you've got stuff that is going to go through with a percent sign Trying to zoom in here so you can see it I give you a little bit of information down below There are reserve characters after percent encoding etc. So you'll see that percent sign and a hex value. So Equals is what's percent 3d. So if we wanted to just paste in this thing We could encode this and that double encodes it for us. We want to go the other way around we want to decode Can I do that? Okay decode sweet paste it in decode and now you can see it's just those equal signs So I don't know if you've seen this before but that is base 64 That's data that is not compressed But just denoted in a different way or encoded in a different way to look like other Alphanumeric characters and they typically end in equal signs because they use that for padding base 64 has to be a length of A multiple of four so if it's not it'll use a number of equal signs at the end to make sure it is that length so If it needs to you may see no equal signs at the end So it is a proper length of four multiple of four or One equal sign two equal sign or three equal signs because it has to use that as a padding character to make the length a multiple of four great We can base 64 decode that we've done that stuff before you can do it in bash Echo that string pipe it into base 64 tack D and Whatever this is is supposedly our password, right? Flag dot text yep cool Let's go ahead and submit it And we're iron. I don't know what I just said there. We are in We got it right challenge solve sweet So how else can we do this? Well? Just for your teaching stuff just for your learning ability your learn ability wire shark is obviously Processing this peak app data as a file. So there's stuff in here that looks like Kind of raw gross hex binary data And you won't be able to read all of that as plain text But other stuff like when you're looking at HTML pages or other things that are plain text like this looks like the source of a Web page right because it is because that's being transferred over HTTP. That's plain text So we can use stuff like strings or command line tools to be able to just see okay the printable characters in a file We can do that to find just regular plain text So why not try and hunt for this now? Why not try and like strings data dot pcap? blah blah blah and then we can start to look for things like flag if you wanted to attack I for case and sensitive or Password Okay, it looks like that tells us for a little bit of recon again if we want to do this manually or not That is the variable name in HTTP that we're looking for PSWRD if we look through that now we see it PSWRD cool. We want to cut that up cut tack D Equal sign F3 right. Yep. Let's get the very last one there. So we get the last line Can I replace multiple characters like that? I don't know. Nope Nope. All right How could a URL encode in bash? Is there a way to do that? Well, we could do this completely disgusting and horrible trick, but Maybe that will teach you interesting things. Let's capture this Output or line in a variable with a while loop just like that and then let's echo that out and we can use the curly braces to denote a Special syntax in bash that lets us do things with these variables So we can replace there if we use a forward slash after the name of it 3d because that's what we want to replace it We want to replace that with an equal sign and that didn't work for me because I might need to escape that Okay, did it once how do I do it again? Will it do it again? No, oh if I know the another forward slash it will remove it there Okay, cool, but now I just have a straight D at the very end That wasn't in there before that must be just a stray character from the from the strings output But we can still base 6040 code it and then get rid of the error It's being displayed on standard error one and we just get a random D over there by taking that number two The standard error stream redirecting that to dev null and making it go away And the bit bucket and the digital trash can so that's gross, but hey, whatever. That's a neat one-liner Cool things. Let's put that in a get flag script. I Just like to I don't know exploit those. I hope that wasn't too torturous Maybe you'll learn something Learn how to type because I don't know how to do that. All right there There is our flag we can mark this as complete and that's that that is the digital flat camouflage challenge The first segment of the forensics category and Pico CTF level one. So sweet. We're moving through them Hey, I want to give a special shout out to the people that support me on patreon the video is over You can leave if you want, but I got to spread some love these people are awesome and I can't say it enough I can't say thank you enough $1 a month on patreon will give you a special shout out just like this at the end of every video $5 a month will give you early access to my videos before I put them on YouTube before they are released And if you did like this video, please do press that like button Maybe leave me a comment if you're willing to subscribe and if you really want to support me check me out on patreon and my website www.johnhammon.com.org That's the one it's the it's dot org. There are too many top-level domains here man. We got like net we got that edu. We got all this