SpringForwardCTF 2023 | Forensics & Writeup

--- title: 'SpringForwardCTF 2023 | Forensics & Writeup' --- SpringForwardCTF 2023 Forensics Writeup === ![Awesome](https://awesome.re/badge.svg) ![SpringForwardCTF 2023](https://ctftime.org/media/cache/a4/97/a497ca3c0174b22d4d371f74f39c81e2.png) ## Forensics/No Expectation of Privacy We've been monitoring data coming and going from around campus. Might be worth looking into it to see if anything weird stands out. Could be that's how whoever is behind the weird stuff on campus is communicating? We're looking for something from someone named RB. Developed by [Cyb3rSw0rd](https://github.com/AlfredSimpson) [caughtin2023.pcapng](caughtin2023.pcapng) --- #### Analysis Given pcap file `caughtin2023.pcapng` with **14939 Packets** inside. Filter out frame length bigger than 100 using `frame.len > 100`, found interesting port `1337` with small conversation `data`. ![frame.len > 100](https://i.imgur.com/Itr71eS.png) After that, set `data` as a filter only displayed `30` packets and found answer for this chall. ![data](https://i.imgur.com/zM4VwGZ.png) In other ways, we can use `grep` to find the strings inside. ``` % strings caughtin2023.pcapng| grep 'nicc{' Q24 nicc{th3y_t011_f0r_th33} ``` That's `GREP TO WIN`. :tada: :::success Flag:`nicc{th3y_t011_f0r_th33}` ::: --- ## Forensics/Say Cheese! This photo was given to us and we believe this man may play an important part into all this craziness. Can you find out what the make and model of the device used to take the selfie was? Flag will be in this format > nicc{MakeWord1_MakeWord2_ModelWord1_ModelWord2} Developed by ihanna2 [Selfie.jpg](Selfie.jpg) --- #### Analysis Given JPEG image data file `Selfie.jpg`. We must find out what the make and model of the device used as this challenge question mention. Using `exiftool`: ``` % exiftool Selfie.jpg ExifTool Version Number : 12.50 File Name : Selfie.jpg Directory : . File Size : 46 kB File Modification Date/Time : 2023:03:12 14:52:03+07:00 File Access Date/Time : 2023:03:14 14:48:01+07:00 File Inode Change Date/Time : 2023:03:12 14:52:03+07:00 File Permissions : -rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Exif Byte Order : Little-endian (Intel, II) Make : Security Camera Camera Model Name : Kmart Special Image Width : 589 Image Height : 733 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 589x733 Megapixels : 0.432 ``` Other ways, using `file` command will give the output too. :tada: ![file](https://i.imgur.com/gSClNai.png) ``` Selfie.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=2, manufacturer=Security Camera, model=Kmart Special], baseline, precision 8, 589x733, components 3 ``` :::success Flag:`nicc{Security_Camera_Kmart_Special}` ::: --- ###### tags: `SpringForwardCTF` `Forensics` `Writeup` `Documentation`