 How's it going everybody? My name is John Hammond. This is Pico CTF 2019. We're looking at the Shark on Wire 1 challenge. It's 150 points in the forensics category. Challenge prompt says, we found this packet capture. Recover the flag. You can find this problem here on the shell server, but we're given a download link, so let's go ahead and work with it. I'm just going to copy this link and download it into a directory that we can start to work with. It says Shark on Wire 1. Let's get over there and let's W get that so we can pull it down and work with it. It is a PCAP file, so that means a packet capture. All the internet bytes and communications that are being sent back and forth in the wire captured into an archive format. So let's fire that up in Wireshark. Wireshark, if you don't have it installed, you should be able to sudo apt install. I think it's like Wireshark QT, hyphen QT, and that if you're running on Windows or Linux or Ubuntu or Cali might already have it installed, but let's fire it up in Wireshark. We have capture.pcap and I'll bring that down so you can see it. So there's a lot here. This PCAP file has a lot of packets in it and there's a good amount to look through. So I kind of scrolled through. Honestly, I just kind of looked through it and mosey mosey through kind of one packet at a time. What I'm looking for are things that might indicate the flag for me. Like if I were run strings on it, you could look for it in that case or any other tools like TCP flow or Netmine or stuff like that. I didn't find a whole lot when I did that. So I ended up just droning through this PCAP and there's a lot there. I noticed in some of these UDP packets though, I see the word Pico. That's kind of interesting because that's going to end up hopefully being a flag if I keep scrolling through these. And I noticed that eventually for some of them, some of these UDP packets have just letter P and then I and then I see a couple C's and O's represented. And I thought, okay, maybe they're slowly building that flag one by one. And I noticed that's all in UDP packets. So I thought, whatever, let's just try this. Let's filter it down. Let's search for UDP and a little filter bar up there. And some of these are still pretty useless. But as I scroll through some of them, you can see, okay, it's starting to build out Pico and there's some other stuff that gets in the way. If I'm looking at the source and destination, though, they all come from the same host, usually the ones that are useful, dot two. And the destination kind of varies, but I see some that include Pico in there. And I also see CTF in order when I do that. So I thought, okay, maybe it's in some of these specific to a destination packet. So I stayed in that dot two realm and I filtered on destination or let it sort by that. And I looked around until I found dot 12 looks like Pico dot 12 has Pico CTF curly open curly brace some information there. Looks like there's some info. But those will changes on 13. What does 13 say if I go up to the very top packet, I can see Pico CTF I'm looking down here, by the way, if that's not clear already. Open curly brace and zero T, there's not a flag, not not a flag. Okay, so that one's not useful for us, but maybe dot 12 is we could do this kind of by hand piece the flag together or we could automate our process with scapey and Python. So I'm gonna do that. If you don't have scapey, you can pip install excuse me pip install scapey, and that should be able to pull it down for you. Let's go ahead and create a script. I'll call mine get flag dot pi. And I'll open it up on the side here so we can work with it. Let's get a shebang line, set up user bin environment Python. I'll make that full screen for now so we can actually see that code. I'm going to do from scapey dot all import asterisk. So I get everything in the current namespace. And that seems to be a good way to actually get some of the scapey functions there. So the one we need to do actually read in this file actually work with this pcap is to use the rd pcap. And inside of parentheses, we'll give the file name working with which is capture dot pcap. And now if I were to print out that pcap file, I have a lot of data that I'm going to end up working with all of those packets kind of denote it as their own individual object. So I'll do Python, get flag dot pi. And you can see, okay, that's stored here as an object with 22 TCP packets, 1420 UDP packets. And we can start to loop through these, right? But we know we're going to focus on UDP. So I'm actually going to drill down strictly on that I'll do pcap. And then in square braces, UDP is going to act as a constant that we pulled in from scapey dot all. So that will act as an identifier to let us know we're going to zoom in and specify only on UDP packets. We could print those out. And that will tell us, Okay, here, here are all of those strictly UDP packets, all the others have been kind of filtered out and are away from us UDPs. So now let's start to loop through these, let's do for p in pcap UDP. And I'm just going to do p dot show, because that will display on the screen how we can actually look at the properties and all the attributes that each of those packets particularly have a lot of output. Some of these are kind of interesting, though, but they denote how you're looking at it within scapey with kind of this header here. So UDP is what we had previously IP. IP is pretty handy for us because that'll let us specify the source IP address and the destination IP address is what we looked at within Wireshark. So let's actually set some filters up for that. Let's go ahead and verify that each of these have a p dot IP. And I got some results, some of them are returned as an object, but some of them have an error. They don't have that IP layer. So what I ended up doing was actually just kind of making a gross try and accept statement, but that's fine error handling. It just raises an index error. So I'll be specific and use that as my syntax here. And then I'll just continue on those because I don't particularly care about those. I only want to see the IP layer for the packets that have them. So let's run show on that so we can see the properties again. And there are a good amount. There we go. So we should be able to actually reach and read that dot SRC for source IP address and DST for destination IP address and filter out their information, what actual packets they might have. Let's say if P IP dot source is equal to that IP address we were looking for within a wire shark 10 002 and P IP dot DST is equal to 10 dot 0 dot 0 dot 13 I think. Now we can actually check out what that packet really has for us. Let's check that guy out. Oh, I had an extra or I didn't have my extra equal sign for that condition. Okay, so now we can see we have some information. And raw is where you can see it actually has the load or data or the payload that came with that packet. So we should be able to print that out. Let's just create a flag variable, little list we could add to. And let's do P raw dot load. Let's do flag dot append that there. And then outside of our loop, we can go ahead and display on that flag all joined together with an empty string. That way we'll just have it displayed back out to us. And in this case, I was wrong, because what is the actual value of this if we were to print it out? That's represented in bytes in Python three. Also, I grabbed the 13 IP address. So that's the one that is the troll, not a flag. But let's go ahead and work with this anyway. It's because we can decode this bite that we're working with utf eight. So it has a little format for it to work in. Okay, now we have the actual string representation. So we can flag dot append that and it will be displayed on one nice line for us. So that's not the flag. We need to switch this IP address to 0012. Now we should get Pico CTF state D that thing. Is this our is this our flag? Let's try and submit this. That's it. All right, that is correct. So that is how we could carve through all those different packets. And in that P cap file, what you would normally drone through manually with wire shark, but escape you allow us to automate that and even carve out the specific bytes or real data that we really wanted there. So let's mark that as executable. Let's run that and throw it to flag dot text. And let's finish this. So now shark on the wire is complete. Great. Thank you guys for watching. I hope you enjoyed this. If you did, please do like comment subscribe. Love to see in the discord server link description loves you on Facebook loves you on PayPal loves you on patreon. I'm tired of doing these outros