 This last challenge in the extreme category on Ryan Nicholson's capture-to-flag competition is called Custom Encoded Data. It says, view the attached packet capture to determine the flag that was sent from this IP address, so we can go ahead and download this pcap file. It is a packet capture, so if you wanted to, we can open it up in Wireshark. First, let's download it so we've got it saved in our own CTF directory, and then we can open it up. So, I struggled with this challenge for a long time because I didn't particularly know what I was doing. We do not have a whole lot of packets here if you can see them in Wireshark, but we have a conversation between two computers or two things, right? 192, 168, blah, blah, blah, 164, talking to 163. And it looks like there is some stuff going on, but nothing particularly interesting down below. In the ASCII representation, only one of these packets actually has a data section that looks like it's including whatever this is, 8C9, 88, blah, blah, blah, etc. So, obviously nothing plain text, nothing that I can just straight up strings in this, but I would want to use that as my typical low-hanging fruit, easy things that I could just run through my checklist in a CTF competition, but no dice in this. So, I was kind of scratched in my head as to what can I really do with this, no hints that I wanted to use, no other notions from the challenge prompt. So, what I started to do was just actually start to script stuff that will test out rotations or different techniques that may be trying to obfuscate this file, etc, etc. So, the way I initially did this was with Scapey, and again, that is a Python package capture packet manipulation, packet awesome, whatever you want to do with them, library and Python. And if you need to install them, sudo pip install Scapey, and you can get through and do with it that way. I've shown it in a couple other videos before, but that is my go-to for playing with pcap files. So, all right, let's do this. So, I would want to import everything from Scapey, so from Scapey.all import everything, then I would read pcap, we can call this packets for the filename, just flag.pcap, and then I can, if I wanted to, print packets.show. So, in the command line, if we go ahead and run this, you can see that it will print out all of these packets, but only this one, index zero three, has some raw data. So, if I check out print zero three, and it's, let's just run show on that, so we can see what is it we're working with. It has the load here as part of the raw information. So, let's get raw out of it, and then that load data just looks like whatever binary bits and stuff. So, what I had done for testing and for learning was just trying to increment characters and see if, is there anything that's actually in this, that's been rotated or translated. So, what I mean by that is I say, for i in range like 255, and then I would try and print the character version of this. So, I'm going to do some list comprehension in x for x in that string, and let's get the ordinal of that, so that we'll just get a number in between zero to 255, and then I'll add on the i that we're working with, and I'll try and chr that, and since that will be just a list, I can put them together. But this won't get me anything interesting either, and why do I have a syntax error there? Oh, I am forgetting and closing parentheses. Okay, so running through that, that is going to error out. So, again, we want to modulus this in chr, wrap it around in 255, fail again, what's wrong? Oh, put this in parentheses. And again, I'm leading you down this rabbit hole and that I let myself down this rabbit hole, because again, even in this, there is nothing interesting. Even if I tried to strings it, no such flag or whatever. And some of these look like base 64. So just for funsies, I even tried that from import base 64, try base 64 decode, et cetera, et cetera, but that didn't happen. So, props to Alyssa Tiger and a friend of mine that is in the Discord server. Link in the description. You should totally join the Discord server if you aren't already. A lot of cool CTF hackers and programmers just jamming together. So, that didn't happen, and he had this notion, he had this thought, like, well, what is this supposed to actually decode out to? Just trying to think of like, okay, let's work backwards. We know it's ideally the flag, right? So, the flag format, quote, unquote, that we've seen throughout this competition, is that a capital flag and then whatever the string actually is that is the flag. So, he had that idea, and I was thinking like, oh, okay, good, good, good call. Maybe this is some XOR challenge. I tried Frumpon, import all, and then I tried to like XOR, just that original package message with like what we would know to be the first couple characters, like flag, capitalize, and then I would try and print that out, but that wasn't going to get me anything either. Why didn't that run? Did that run? Oh, no, it was probably just bytes or whatever. Yeah, if I wrap that in wrapper, it'll give me that out, but again, no real actual data out of that. So, we tinkered with this a little bit more, and then we had the notion that, okay, what is the actual like order of this? What is the order of this? All those characters that we started to loop through. So, I wanted to just print out the first couple notes here for X in this guy. Let's print out or let's get an idea of what those X ordinals are. Print this out, and we see all of these characters, interesting enough. So, let's try that for what we know the flag format would be, right? We would do a word of X for X in the string flag. And an interesting thing that I noticed, and it was kind of pointed out when we looked at this, was that 140 at the top here, 152, 130, et cetera, et cetera, these just seem to be two times what we're looking for in the original flag or plain text. So, it looks like the original message or the code of the data is just two times what we're looking for. So, all we have to do is divide each of these by two, right? So, let's do that. Let's print out or divided by two, and let's take the character representation of that. So, we get an ASCII, and then let's join these all together as a string, and boom, we get our flag, just like that. So, that was the trick, not a whole lot of really encoded data or anything, but just a fancy notion, okay, we've modified the bits a little bit in here. We've modified the bytes to do something else. So, that was some fun, interesting reconnaissance and a really, really big stumbling block for a long time. I couldn't entirely know what I was doing. I felt like I was guessing, but still in each challenge, always good to look at the bytes or really just do whatever I can to examine the data that we're looking at. So, also some cool stuff with Skapy, good to know and good to play with that. So, we can go ahead and submit that, earn our points or whatever, and then mark this challenge as complete. And I want to give a special shout out and some love to all the supporters and the people that are willing to help and donate to the channel through Patreon. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 a month on Patreon will give you early access to all of my videos and things that are released on YouTube. So, please do send some love. I'd be super duper grateful. I'm really appreciative of you guys willing to go on this journey with me. Hey, if you did like this video, please do press that like button. Maybe leave me a comment if you're willing to subscribe. And please, join the Discord server, hang out with us. And if you're willing to, check me out on Patreon. Great. See you soon.