Tags: wireshark forensics
Rating: 4.0
Stomped was one of my favorite problems. It's one of those problems that sounds extremely easy to solve from the solution but hard to realize how to get to the solution. So, let's start.
Firstly, we open the PCAP file in Wireshark. I looked around a bit and noticed each packet had one byte of data to it. My first thoughts on seeing that was "Collect. The. Data." and I did. I exported the packets into a JSON file and since I was too lazy to script a python program that would parse the data and decrypt it even thought that would make life so much easier. In fact, I will write a python script as a reference now. I ran `strings stomped.pcap | grep "data.data"` and collected it. After removing the data.data, again, make a python script. I got the data. It was in the form of hexadecimal and once I decoded that I noticed something was off. After you work with Base64 a lot, you notice the two equal to signs at the end of the encoded message. And this message had two equal to signs just not at the end, it was scattered. So, I had a feeling this message's data order was scrambled. Now, I looked at the time of when the packets were received. Interesting. Some of the packets were received at a negative time. Negative time, breaking the laws of physics. I used my googling skills to find out you can reorder the packets based on the time received. The tool is called reordercap. With that tool, I yeeted the pcap file to that tool and it produced a holy ordered Wireshark file. I exported the packets to another JSON file and got the data. Decoding the data, from hexadecimal and Base64 after that.
I got the flag: **uscg{2_m0st_p0w3rful_w4rr1ors_ar3_pati3nc3_and_t1me}**