 Hey YouTube, this is John Hammond more Pico CTF 2018 this challenge is called recovering from the snap for a hundred and fifty points in the Forensics category It seemed like a lot of people struggled with this or at least I thought I saw a lot of questions about it Just kind of flying around I Guess I didn't have too much of an issue with it. Maybe I guess I don't know Maybe I just tried something different and was it seemed clear to me But I've got the file downloaded right here. It's animals dot DD or whatever that maybe So I run file on it and I say that okay It's a DOS master boot record boot sector code offset this crap blah blah blah at that point I I see it some kind of file system and I could deal with mounting it or trying to handle it or some other stuff But at that point I didn't really care I knew this is a forensic challenge So I thought I'd go for and run my usual forensics like low hanging fruit tools on it So the first thing I reached for is foremost because it's pretty effective And I wanted to output check out what we got here looks like a lot of jpegs Cool, maybe I could carve out files that having to mount the file system or deal with it a crap like that And I get pictures of cute animals. Look at this puppy. He's adorable this This fox that is a fox, right? I don't know. I don't know why I'm hesitant about that little frog here giraffe uh me Bunny also funny and there we go. There's the flag. It just pops right out pico ctf the snap happened so maybe I I don't know. Maybe the foremost tool is not commonly well known. Maybe it is but I got it just like that so I don't think it was that difficult of a challenge But maybe it's just knowing your toolkit knowing arsenal knowing things that can make your life easier And maybe that just comes with playing a little bit more or just doing stuff I'm sure I think we could have gotten this with bin walk But whatever the case may be that is how I solved that challenge So I'll x clip this flag go ahead and submit it and we're moving sweet Let's mark that challenge as complete And let's move on so not too hard on that one next challenge is called admin panel for 150 points also a forensics challenge It says we captured some traffic logging into the admin panel. Can you find the password? So you can download this file again. I already have Um, I don't know log dot texas. Whatever. Let's check out this file because it is a pcap file So that is a packet capture. You can open that in wire shark if you don't have wire shark installed So you have to install wire shark blah blah blah, but it's the best tool for looking at pcaps manually anyway So I opened it up without actually supplying the file my bad And you'll see a lot of http requests and you'll note them because they're in they're green um, so you can explore each of them and You'll notice that the packet information is listed here in the column And you'll see they're trying to make get requests to some kind of page There's some interesting ones though because you'll see a post to a login request a get to an admin page So we can follow that tcp stream and explore The original request right uh the clients that's sending it in red and then what the server responds with in blue So this is their response. This is what the page returns to them So it says welcome to the website if you were the admin you would be able to see all your settings here neat Uh peculiar, but at least we kind of get an inkling that okay at that at that packet or that communication in the server's uh conversation That point in the conversation you can see that later on there will probably be something happening referring to Maybe another login or maybe viewing another admin page So I see this post login and I figure like well, it doesn't have any get admin after that So I figured well, let's explore what that packet is Let's follow that tcp stream and again you can see red clients and blue the response here The interesting thing is posting this login the variables that they're trying to post or Supplied to the web page are given as arguments here So you can see user is admin and password is the flag pico ctf not secure blah blah blah An interesting tidbit is that this is just HTTP right not HTTPS It's not encrypted or anything So the responses and stuff and the requests that we're seeing across the wire are in plain text So what we could potentially do is just go ahead and run strings on this data pcap And you'll get all the information that you would have had otherwise at least visible in wire shark So what we can do is go ahead and use our magic rep to look for the file format See if we can get pico ctf With our regular expressions and just like that the flag pops out So kind of a neat technique and honestly I did that before even opening up the wire shark Like but literally before even opening the pcap and wire shark just because that's a quick and easy thing good thing to do right So let's create get flag strip with just that and we're good to keep rolling Things to note, especially when you're handed a pcap it like strings is is very quick if you're just going to be doing like Simple analysis or just trying to find a needle out of a haystack. You know what I mean? Let's mark that challenge as complete Oh Didn't need to use the curly braces because I was supplying the argument, but that is done. Let's actually go ahead. Do I have it? Uh crap Let's get the flag out of that and submit nice Quick shout out to the people that support me on patreon. Thank you guys so much You're the best. I am grateful for each and every one of you And I would be more than happy to have more of you One dollar a month on patreon will give you a special shout out just like this at the end of every video You'll get your name up in lights Added to this list. I should make some kind of thing where your name just flashes lights in different epileptic colors. That'd be that'd be cool Please subscribe $5 a month on patreon will give you early access and anything to release on youtube so videos that I record Hopefully kind of backlogged and ready to be released Gradually on a daily upload schedule that I may give to youtube over time If you want the content right when it's ready right when it's hot That's the best way to do that. Uh, I've got to get better at kind of preparing a little content right now I am kind of in a funk, but that's my fault. I'm just a dude and you know life gets in the way So I appreciate your support no matter what it is and I'm and I'm super grateful for it If you did like this video, please do like comment and subscribe Join our discord server link in description cool ctf community place full of ctf players programmers and hackers words I gotta stop. I gotta stop recording guys. Thanks. I love you. I'll see you in the next video. Hope to see you on patreon. Bye