FindAndOpen

Description

Someone might have hidden the password in the trace file.

Find the key to unlock this file. This tracefile might be good to analyze.

Solution

For this challenge we are given two files: one PCAP and one ZIP file.

% file *
dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
flag.zip:  Zip archive data, at least v1.0 to extract, compression method=store

It appears we are suppose to find the password for the zip file somewhere within the pcap. The pcap is pretty small thankfully, only 69 packets.

Upon examining the first few Ethernet frames we are given a hint.. or a tease:

After examining the data of the other frames we are given more hints:

Around these frames are 26 mDNS (multicast DNS) packets. Multicast DNS is pretty much regular DNS but for smaller networks where, instead of querying a name server, all participants in the network are directly addressed.

Investigating the mDNS queries and responses, I coudn't find anything interesting so I pivoted back to the Ethernet frames.

Some of the data from the frames I noticed, appeared to be Base64. Therefore I decoded the text.

% echo "VGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8=" | base64 -d 
This is the secret: picoCTF{R34DING_LOKd_    

Using this, we can try to unlock the zip file. picoCTF{R34DING_LOKd_

% unzip flag.zip                    
Archive:  flag.zip
[flag.zip] flag password: 
 extracting: flag                    
% ll
total 16
-rw-r--r--. 1 matthew matthew 7413 May 18 11:39 dump.pcap
-rw-r--r--. 1 matthew matthew   45 Mar 15 22:40 flag
-rw-r--r--. 1 matthew matthew  231 May 18 11:39 flag.zip
% cat flag
picoCTF{R34DING_LOKd_fil56_succ3ss_b98dda6a}

Flag

The flag is picoCTF{R34DING_LOKd_fil56_succ3ss_b98dda6a}