UIUCTF 2015 - Sniffthis (200 points)

NETWORK: Just say no. traffic.7z

Doing this challenge right after Ovaltine made it pretty easy. Once again, we are given a network capture, and must find the flag in it. This time I directly started by exporting the HTTP objects, and looked at what was there:

  • Pandora traffic
  • More Pandora traffic
  • A little bit of Pandora traffic as well
  • key.gif
  • key.bmp
That looks too good to be true. Indeed, trying to open both the key files with an image viewer yield an error. Let's try to see what's inside :
$cat key.gif
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
                  

And key.bmp contains the same text. So maybe if we can find the new location of these images, we would find the tag. Let's look for that in the capture by searching for key.bmp.


We find that a key.bmp image is hosted on a dropbox, and opening the link in a web browser allow us to download the file. Great, let's look at it now!


Hum, still not it. Let's see what type of file we have now:

$file key.bmp 
key.bmp: Microsoft Word 2007+                    
                  

Ah, we have a word file. Let's rename it in key.doc, start libre office and let's look at...


Oh, false alarm that was a bogus lead. Unless...


Yes! The flag was hidden behind the image and we can validate the challenge

flag{https://www.youtube.com/watch?v=9QcBQt0mkuM}