Enc0ded - Wireshark Writeup (CyberTalents)

# Enc0ded >>>>> CyberTalents # Enc0ded Writeup ## Introduction Hold onto your Ethernet cables, folks, because today we're embarking on a journey into the wild and woolly world of Wireshark and packet analysis! It's like being a digital detective, only instead of a magnifying glass, you've got a pixelated decoder ring, and instead of solving crimes, we're decoding the secret language of the internet. So, loosen up those mouse-clicking fingers and get ready to unravel the hidden tales of the cyberwaves. It's a packet party, and you're on the guest list! ## Challenge Description An attacker in the network is trying to poison the arp table of 11.0.0.100, the admin captured this PCAP. - [https://hubchallenges.s3-eu-west-1.amazonaws.com/Forensics/ARP+Storm.pcap](#-) ## Solution We will begin by downloading the pcap file from the link above, from where we will begin our analysis. Now there are several opensource tools that we can use to open the pcap file such as wireshark or Tshark. In this case i'll be using the terminal tool know as Tshark. Tshark is a terminal tool developed by wireshark. To use tshark we will need to open our terminals and type 'tshark' in the promt. ## Step 1 We will begin by learning a little bit more about our pcap file before we open it. We will be using the following commands to do so: file ARP+Storm.pcap capinfos ARP+Storm.pcap ![](https://hackmd.io/_uploads/SkRt9UJJa.png) From the screenshot above we are able to see the date and time the packets were captured and also the number of packets captured (68 packets were captured) ## Step 2 After checking the file details, we will now open the pcap file to see the type of packets in it. To do this we will use the tshark command to view the basic details hosted here. ![](https://hackmd.io/_uploads/HJ7JnUky6.png) we can also add the ***-n*** option in our command which will enable us to see the source & destination mac addresses. ![](https://hackmd.io/_uploads/Sk8L3Uy1T.png) From screenshot 2 we are able to see much more detail. We also see that most of this data remains the same, which means that the likelihood of our flag coming from the first 10 colums is quite low. Luckily for us we can see that in the las column there are characters that look like hexcode and they keep changing. This could be what we are looking for. That means we need to dig deeper to learn more. ## Step 3 We need to get rid of all the other columns and only leave the last column. To do this we need to use a command that will only print out the last column. To do this we are going to use the code shown below; tshark -n -r ARP+Storm.pcap | awk --field-separator ' ' '{print $11}' What this command does is that it will read the file and separate all this columns each time there is a space, then counting each column, it will only display the contents of the last column which is column 11. ![](https://hackmd.io/_uploads/HyxMyvJkT.png) Looking into this output we also see that we have characters that repeat in all the rows, which means there is a likelihood of these characters not being helpful in any way. so we will try to get rid of them and see what we are left with. Before we get rid of them we need to save the output above in a text file to help us manipulate it even further. ## Step 4 after saving the tshark output into a file, we can view it using the cat command to see how it looks like. ![](https://hackmd.io/_uploads/BJfMuSxkT.png) We can see it still looks hte same as before. now lets clean it by removing all this zeros. we are going to use the following command. cat arpdump.txt | cut -d "x" -f 2 | xxd -r -p Lets understand this piece of command cat arpdump.txt - this will read the text file cut -d 'x' - this will delete everything that appears before the letter x and also delete the letter x. -f 2: This option tells cut to select the second field (portion of text) after splitting the input using the specified delimiter. It essentially isolates the hexadecimal-encoded part of the flag. xxd - allows you to create a hex dump from a file -r - this flag will revert with <off> added to file positions found in hexdump. -p - output in postscript plain hexdump style. This is what will be displayed after running the command. which is in encoded base64 format. ![](https://hackmd.io/_uploads/rJ5D5Slka.png) ## Step 5 To decode the base64 code we got earlier, we will use the following command. echo -n "ZmxhZ3tnckB0dWl0MHVzXzBwY09kZV8xc19BbHdAeXNfQTZ1U2VkX3QwX3AwMXMwbn0=" | base64 -d running this command gets us the flag as shown below. ![](https://hackmd.io/_uploads/BkB_iBlJT.png) flag{gr@tuit0us_0pcOde_1s_Alw@ys_A6uSed_t0_p01s0n} --- **Author:** Gr3yW0lff **Date:** September 2023