 What's up, guys? John Hammond here, PicoCTF 2017. Looking at the forensics category on level one, we got the last challenge that we're checking out, 50 point challenge, special agent user. We can get into the administrator's computer with the browser exploit, but first we need to figure out what browser they're using. Perhaps this information is located in the network packet capture we took, data.pcap. End of the browser and the version as browser name, browser version, and we're just looking for three levels of subversions for whatever that is. Okay, so let's go ahead and download this pcap. Let's create a new directory for ourselves to work in, special agent user. Get in there, there you get this data. Sweet, we can open this up in Wireshark if we want to look through it manually. We know we're gonna be looking at, well, user agent stuff. So that is an HTTP header, right? User agent. A user agent is software or a software agent acting on behalf of the user. So that's typically the web browser that you're using to look at websites. And it's denoted in the HTTP transfer protocol. Yeah, let's get into it and do it for real. I wanna show you here. If we look at one of these streams, follow TCP stream just as we had before, you can see there's a user agent Wget, but that's the one that we just kind of use to download stuff. So that may not be what we're actually looking for. We're probably looking for something like Mozilla Firefox or another one. So let's check out some others. Let's check out this guy here. I can see he's using Wget again. I'm still looking through green packets here because they are that HTTP protocol. Again, more Wget, blah, blah, scrolling through this stuff. Another get. Man, where's anything interesting? Is there anything over here? Hmm, well, if we can't find it looking through manually, now we know about how we can just explore this in kind of an automated fashion by running strings on this guy. And let's grep for user agent. I'm using tac i here to denote case insensitive. And a lot of the stuff that we saw earlier was Wget, right? But there's an oddball here. There's an anomaly, holy cow, tongue twister. So let's copy and paste this and let's just explore what this actually is. Because this doesn't tell us like, oh, it's Firefox version 52.9000 or whatever. So we gotta figure out how that correlates to an actual browser version. You can do this online. There is a user agent detect or something. User agent, lookup. Yeah, that's a better word for it. You a lookup, browse cap. Okay, and then we can just paste it in here. There are plenty of tools to do this online. This looks like it is Chrome. Okay, will it tell us 34.0? Is that all we need to give it? Let's go find out. We don't need any zero with versions. So we can do Chrome 34.0, Chrome 34.0.0, nope. No dice, hmm. All right, let's try just another website tool to see what we've got here. We can paste it in here, analyze, analyze. Chrome won't tell me, hmm. That's all right, let's not give up. This is also a learning thing is you just try every single tool. 34.0.1847, let's try that. We don't need that 137. Okay, we got it, sweet. That's it, awesome. So yeah, persistence, right? Offsec try harder. I don't know if you've seen that before but that is something kind of in the scene where the people that do Cali Linux and all of the penetration testing labs are offensive security, they always, their slogan is to try harder. Don't give up, keep banging your head against the wall no matter how bad it hurts. So that was cool, whatever. Maybe I didn't notice the actual answer on some of those other pages and you guys can comment and make me look like a fool if you want. But user agent lookup string, that's important. User agent is kind of neat when we're doing some capital flag competitions because it will let us spoof a browser or something or pretend like we are acting on behalf of Mozilla Firefox even if we're just like trying to use Python requests or WGet or whatever. We can play with that and do it, take advantage of it and do interesting, do cool things with it, so. Hey, I want to give this special shout out to my supporters. The video's over but these people deserve some love. I was gonna list all these names but then I decided against it in that split second. You guys are all awesome. One dollar a month on Patreon will give you this special shout out at the end of every video. Five dollars a month will give you early access to everything that I record and put online. YouTube, I'll normally just gradually release things day by day but if you want stuff immediately right when the content is ready, once it's recorded and done, you can do that through the Early Access five dollars a month thing. Hey, if you did like this video, please do press that like button, maybe leave me a comment, maybe subscribe. If you wanna check me out on Patreon, I would love that on my website, www.johnhammon.org. See you later.