Rating:

# Eavesdrop
Author: LT 'SYREAL' JONES / MUBARAK MIKAIL
*Forensics*, 300 Points
Tags: *pcap*

## Description
```
Download this packet capture and find the flag.
• Download packet capture
```

## Hints
- All we know is that this packet capture includes a chat conversation and a file transfer.

## Solution

This problem is actually quite simple if you are well acquainted with using Wireshark.

Opening the challenge file in Wireshark, we can quickly see that there is a conversation between 10.0.2.4 and 10.0.2.15 on the TCP protocol. From here, we can easily deduce that we are supposed to "eavesdrop" on the conversation.

By right clicking on a random TCP packet transfer, going to follow and following the TCP stream, we see the following conversation:

![Conversation](https://github.com/yanganyi/writeup-picoctf-2022/raw/main/Forensics/Eavesdrop/Images/Conversation.png)


From here, we can immediately see that the command to decrypt the ciphertext is `openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123`

We can also expect to see a file transfer somewhere between "Yeah, listening." and "Sent it". Exiting the TCP stream and examining all the packets in between, we see data transmitted over TCP that begins with "Salted__". It is likely the ciphertext that we are looking for as the ciphertext decrypt command has `-salt` in it.

![Ciphertext](https://github.com/yanganyi/writeup-picoctf-2022/raw/main/Forensics/Eavesdrop/Images/Ciphertext.png)



From here, we can just select the packet and export its data by going to `File -> Export Packet Bytes` and saving it as raw packets. Renaming the ciphertext file to file.des3, we can just run the command givend directly to decrypt it, thus getting the flag.
![Export](https://github.com/yanganyi/writeup-picoctf-2022/raw/main/Forensics/Eavesdrop/Images/Export.png)
However, please take note that for this step, you **cannot** just right click on the data in wireshark and copy as printable text as not all hex characters convert to printable characters so doing so will give you the wrong ciphertext.


`picoCTF{nc_73115_411_77b05957}`

Original writeup (https://github.com/yanganyi/writeup-picoctf-2022/tree/main/Forensics/Eavesdrop).