 Hey, what's going on everybody? My name is John Hammond. Welcome to another Google capture the flag video write-up This one I want to show off is the no big deal challenge Another simple one 50 points a lot of people solved it because again, it's not that hard It just took a lot of willpower to actually like look through all that stuff prompt is sometimes the answer is immediately obvious Sometimes it's obscured and find the answer in here, which is just a p-cap file. So I have that downloaded We'll open it up right now Once I navigate unity Google What am I doing no big deal Fire this up in wire shark because it's just a giant p-cap file once you extract it So I This is a big file like I tried to run strings on it to see if there was anything like it would poke out and find But it took a long time for strings to actually finish because there's like so much stuff in here So I ended up just like poking through in the wire shark kind of peruse through the packet see if I found any anything interesting I'd try to export like information to try to export objects and data TCP looks like it had some stuff first couple of first couple of packets had like this hint It looks like in the data or it says NBD magic Again, I'm assuming the whole no big deal thing I Have opts. I don't know what that is and I thought I saw export somewhere. Yeah export down here again I don't know if you can see this. I'm sorry, but um Most stuff that I found was this NBD Protocol, which I thought earlier. Okay, NBD. No big deal that same hint NBD magic I felt like that might have been pretty interesting. So I actually sorted through that in wire shark NBD and I found While I was looking through here again I was just perusing looking at the data because it looked like some of these had some pretty hefty packets Like they had length and they had data that came with it So out of that as a column if you don't know how to do that in wire shark what you can do You can right-click on the on the columns. You can go to column preferences And you can like add or remove anything you want in here You can set up a name for it determine what type it is and select like a source port source address Other information you want to specify if it's not like in this giant list you can right-click any part of like an actual Frame or disassembled piece of information that wire shark found later on like if you want to add data You could right-click it and select apply as column and then it'll it'll get added up here so Anyway, some of the interesting things I found were in actually this packet right here packet 76 and I Was honestly just perusing through the data section I was like scrolling down through a lot of these just trying to find out what it had and in this one I just I might have got lucky I don't know but this string like this Q1 RGE blah blah blah that looked very out of place Because you know you get a certain eye for like base 64 encoded stuff And this just looked like a base 64 encoded string to me So I actually just stole it. I like copied it out Let's see if I can manage to copy it out this time. I had some trouble I literally had some trouble trying to find that like copy this. Okay copy value cool and now I'll get in some blind text Okay, that's not what I wanted Let's copy the Hex and has key dump as principal text Okay, cool. So yeah now we have the base 64 string just kind of chilling out What I can do is we can take that and Try and base 60 40 code it decode and there it is that was the flag It was really just hunting around this giant p-cap Finding that base 64 string and then decoding it the flag was better FS better better files I don't know better better than yours. Whatever. I don't care. We got our flag but that was just painful to be like hunting through this and To have so little reward, but whatever it was a simple thing It was just a matter of like looking through, you know, 96,000 97,000 packets You didn't have to do that and that's why like I said, I picked out that NBD protocol And I think that narrowed the search down to what? 611 that's that's not a big deal. And again, I just found mine on like packet 76 so It's a matter of hunting I guess and I don't know being willing to Keep looking for stuff and just having an eye for the base 64 encoded strings. That's pretty much it though That's your flag. I'm not gonna try and put together a script as to scrape that out because I couldn't particularly scrape out any of the data out of that p-cap regardless, but Thanks for watching guys. Hope you enjoyed this again. No big deal. Only 50 points Whatever see you later