 What is going on everybody? My name is John Hammond and welcome back from the YouTube video We're looking at the forensics category in the boot to root 2019 CTF. This challenge is called loot back It just gives us a p-cap to download. It's a Google Drive link. So it's kind of annoying can't W get it I've already go gone ahead and downloaded this it is in my current directory. It's a p-cap and G file So it's that next-generation thing You can process it out to a p-cap if you'd like just a regular old classic p-cap Or we can just kind of deal with it in our cases right now for the solution of this challenge We don't need to do anything with it We can go ahead and start to do some basic stuff with it check to see before we fire up in Wireshark If there's anything really in it's like plain text readable So just go ahead and run strings on it and at the very very bottom. There's an interesting thing It's boot to root. I am the flag format. This looks like the flag But it is not we can go ahead and submit it and see that is very obviously not the flag It's also doesn't seem to be the right flag format because that B is capital and so far we've seen everything lowercase B So we could fire this up in Wireshark, but we still have some more low-hanging fruit We can check in a regular TCP file What I'm going to do is actually make a directory files just in case we have anything in there And I will go ahead and copy that data into files So I'm going to use TCP flow which is super nice and super easy if you don't have it installed go ahead install I believe it's in the repositories if not I'm sure you can track down the github and you just run TCP flow tack R to represent you're gonna read from a file here That will go ahead and not return any output, but take a look in your current directory now You've got some extra stuff. You've got some communication that's kind of labeled in the file name between one IP address and the next with a Report dot XML will tell you everything that it had found if you take a look at these all with file You'll see that one of these is ASCII text which is kind of interesting. We can take a look at that Maybe that is the flag go ahead and cat that out. Hello server, okay? The other is a bitmap file, which we can go all the way also go ahead and take a look at I'll just use EOG or I have known to view that and that looks like the flag It is sideways so we can go ahead and rotate it Control R there it is and that's also not the right flag format and then it's not using the two zeros and boots But we have something new here boot to root am underscore the underscore one So if we want to try and submit that we can do that The underscore one and that is the correct flag. So that's that that's literally it If you were to go ahead and take a look at this within Wireshark You'll see that it is a lot of like x11 data and I struggled with that for a long long time I tried to figure out. Well, do I need to set up an x11 server? I know it's sending it back to itself. Is that a loop back thing like taken literally? I actually found a tool chaos reader or something that will let you like create the replay files But I never got anywhere with it and then I just went back to the like basics and you actually will see Like TCP flow and that basic low-hanging fruit stuff in CTF Katana if you go to my github repository Again, I'll tout that resource and we'll bring out the automated version of that soon. So that's that. Hope you guys enjoyed this Love to see in the next video if you did like this video, please you like comment and subscribe join the discord server There is a link in the description. Love to see you on patreon loves you on paypal. You know the whole nine yards. Thanks again