 Hey everyone, this is another video write up for the challenge Sleepy for 70 points in the forensics category of TJCTF. Challenge prompt here is, I found this super suspicious transmission lying around on the floor. What could be in it? So we can copy this address, go ahead and download this file. It is a pcapng file. I'm just going to save it as a pcap file. And then we can open it up in Wireshark, take a look at it, see what we have to work with. So the gist of this is a FTP connection, like a client and server communication. Down at the very bottom, there is a certain amount of TLS v 1.2. So some encrypted communication that we aren't able particularly able to easily read. We just can't see those because they're encrypted packets. FTP is actually like a plain text protocol. So thankfully we can see a lot of these communications that are being sent. You can see them trying to log in and authenticate with a user and password. So if we wanted to, we could actually just follow the TCP stream and see this entire communication. It looks like, I'm not able to zoom in here, but so they log in, list files, move into a directory, list files again, and eventually download or retrieve a key.zip file. So I want to take a look at what that file is. What I'm going to do is I'm going to filter for anything that actually contains key. And you can see, okay, here they actually are retrieving it, running the command and the like port 20, the FTP data port and channel there, we can actually view this. And that is you can note with the PK file magic header at the very top. This is the zip archive that they're trying to download. Let's view it as raw. And then what I'm going to do is going to save it as key.zip. And once we have it, we should be able to just check out in that directory, unless do we have key.zip? Yes, we do. And it is a zip archive because we're able to extract it raw from Wireshark. So let's go ahead and unzip this. It looks like it ignored some parent directory notion. That's perfectly fine. It put a server key PEM file in this directory. So let's go ahead and check that out. CD user FTP files private, blah, blah, blah. And we have server key dot PEM. So this is a private key that we could use to decrypt that TLS communication or that SSL the encrypted packets in our Wireshark. So let's go ahead and try that. If I open Wireshark back up. What we can do is we can go ahead and create a new settings over in edit preferences. And we can open up the protocol section over on the left tab, move to SSL. And we can specify a log file that we want to use. Let's just call it like log.debug. And then let's edit the RSA list. For one thing, we want the IP address of what we're actually communicating with. So before I jump through this, I should probably write that down. In the TLS, we want the notion of the server. So that should be the 10142.03. Yes, I believe so. Let's actually write that down. So we've got it jotted 10142.0.3. Cool. And if I'm wrong, we can just switch out what that setting might be. Protocol SSL, debug log file log.txt, RSA keys list, add a new one for IP address here. Port is 443. We can see them communicating on that. Protocol is HTTP. Key file will browse for that. We can see we have it in this zip archive that we saved here. If we run okay, we can hit okay one more time. And okay, I must have hit the wrong IP address. Okay, I switched out the IP address. Sorry about that hiccup. Now the packets are much more visible. We can see them in surrounding these TLS packets actually making some HTTP requests like simple requests. We can see the decrypted SSL, which we can view if we particularly wanted to. We can follow the TCP stream. That is the handshake. Decrypted SSL looks like they just make a get request with Python requests. And they get this flag.jpg image. So looks like a lot of these are actually carrying some TLS data. So we start to make this request, but TLS will send it in other segmented packets. So you can see right up here, we have the HTTP response, okay, content type equals text plane, etc. So what I ended up doing, truth be told, was actually viewing each of these and like carving them out by hand. So follow SSL stream, actually just double clicking on it and selecting the decrypted SSL packets, we can copy this as a hex stream. And then what I'll do is I'll go ahead and put this in a sublime text file that we can work with. And note that that has HTTP content type, etc, etc file stuff in it. So we will have to cut some of that out because it's viewing it as text plane. But we'll convert it to a JPEG on our own. Once we compile all of these together, decrypted SSL copy as hex stream, just like that. Do it for the third packet here. decrypted SSL copy as hex stream. Okay, I'm sure there's a better and smarter way to do this. So if someone please do tell me, I would appreciate that in the comments or whatever JPEG header. I want to see what the start of this JPEG is. I think it's a file signatures, right? They start with FFD8 FFE0. So FFD8. Oh boy, I hit Ctrl F. Okay, found it just at the very top. So it looks like there are some new lines character here that we can remove. Let's go ahead and save these as something that we don't need. And let's put this as hex encoded.txt. And let's just use Python to actually decode these. So Python open hex encoded.txt, we can read that file. And then let's run just another one open something.jpeg, w and let's write the c decoded from hex. And now that that's done, we should have something.jpeg, which is a JPEG image, and we can view it. And we have the flag. Looks like it's a little cut up here. So I must have done something wrong. But the very top of it does give us the flag. TJCTF, wire shark or shark wire. I'm sure I did something wrong there. So I would appreciate again, the point of notice there. I did get this just fine when I ran through it on my own. But okay, when I have a camera rolling, it's like 1000 people are watching. So whatever, we've got the flag, we can write that down, we can submit it, we can mark this challenge as complete and we are done. Hey, I want to give a special shout out to the people that support me on Patreon. Thank you guys so much. $1 or more on Patreon will give you a special shout out just like this at the end of every video. $5 or more on Patreon will give you early access to everything and release on YouTube before it goes live. If you did like this video and you want to see more CTF video write ups or programming tutorials, other stuff that I do, please do like comment and subscribe, join our discord server, especially if you want to be kind of a part of us in jamming with me and some other cool players that are playing in HatCon 2018, opening up this Wednesday and other CTFs that come in the future. It's just a really neat community. Hey, I hope to see you guys on Patreon. That would be phenomenal and I hope to see you in the next video. Thanks.