Rating:

First, I opened the given pcap file in [Wrieshark](https://www.wireshark.org/) and explored the captured packets.

I found some http packets, so I followed them by `right click on the http packet > Follow > Follow HTTP Stream`.

```
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-length: 269
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
...

client_secret=AER8VvrXuFfYfqjhidcekAM0&grant_type=refresh_token&refresh_token=1%2F%2F044y6gZR87Kl0CgYIARAAGAQSNwF-L9IrkAFpIJPMhiGY0OPJpo5RiA5_7R-mHH-kuHwCMUeFL2JqxevGr23oBJmaxdnrD52t3X4&client_id=1097638694557-3v745luessc34bkoiqkf8tndqgvbqjpm.apps.googleusercontent.com&[email protected]
HTTP/1.1 403 Forbidden
Vary: X-Origin
Vary: Referer
Content-Type: application/json; charset=UTF-8
...
```
I got *user-agent*, *client_id*, *client_secret*, *refresh_token*, and *email*. The *user-agent* is `google-oauth-playground` so I thought this challenge has to do something with *Google Oauth Playground*.

I went to [OAuth 2.0 Playground](https://developers.google.com/oauthplayground/).

First, checked **use our own OAuth credentials** in **OAuth 2.0 configuration** and filled *client_id* (`1097638694557-3v745luessc34bkoiqkf8tndqgvbqjpm.apps.googleusercontent.com`) and *client_secret* (`AER8VvrXuFfYfqjhidcekAM0`) in `OAuth Client ID` and `OAuth Client secret` fields.

There was nothing to do in *Step 1*.

So, in *Step 2*, I url decode the *refresh_token* (`1//044y6gZR87Kl0CgYIARAAGAQSNwF-L9IrkAFpIJPMhiGY0OPJpo5RiA5_7R-mHH-kuHwCMUeFL2JqxevGr23oBJmaxdnrD52t3X4`), filled it in the `Refresh token` field and clicked `Refresh access token`.

I got the `Access token` (`ya29.a0ARrdaM-K1DTLe_zcsJf3rZr9v6WeegZfASz1z4d5TEpZgmMhO5d-9fKiV8dM2_toRqI3Q4ip82o45zObuK0oj9AEoAOWMac1OGR98O4tFYr-l9g1J1X6kxIb6llazm5IiELGWDHyMDeiPyhuIN1mIbMm9ZIWKQ`).

Next, in *Step 3*, the `Request URI` must be `https://gmail.googleapis.com/gmail/v1/users/[gmail we got]/messages`.

So, I set it to `https://gmail.googleapis.com/gmail/v1/users/[email protected]/messages` and clicked `Send the request`.

There were **id**s and **threadId**s in *Response*.

I checked each of the id by *Sending request* to `https://gmail.googleapis.com/gmail/v1/users/[email protected]/messages/[id]`.

And, I found the flag at id `17b7d85d21fc05ba`.

`https://gmail.googleapis.com/gmail/v1/users/[email protected]/messages/17b7d85d21fc05ba`

*flag*: `FwordCTF{email_forensics_is_interesting_73489nn7n4891}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/FwordCTF_2021_Writeup/Forensics/listening%3F).