A write-up of the “Normal” network covert-channel pcap analysis challenge from 5Charlie CTF.
Normal - Challenge
Just some normal traffic. Can you find a flag?
Normal - Solution
Taking a look at the pcap most things look normal at a glance with one exception. There are intermittent TCP SYNs to port 8000 sprinkled in. We can confirm the funky traffic by looking at the TCP conversations in Wireshark, sorted by destination port.
Filtering on our suspicious traffic, we notice that the source address changes with each request.
If you’re familiar with how flags look in different formats, you may recognize that the offsets between the source addresses look similar to the offsets between the ordinal value of “flag”. It’s not an exact match though… each value is incremented by 10.
tshark and a little scripting to pull all the data out of the last octet of each matching packet, decrementing the value returned for each by 10.
Using the output we can use CyberChef to convert it using FromDecimal.
Integers go in, flag falls out. 😃