~# cat Question

Someone has infiltrated into the Headquarters of Greyhats and retrieved classified information about HackBash. Luckily, we set up network traffic logging and captured all incoming and outgoing packets. We need your help to inspect the captured pcap file and find out what the intruder managed to find out about HackBash?

FILE: challenge.pcapng

For this challenge we are given a pcapng file. Thus, we can use wireshark to view the packets. We can go to the Protocol Hierarchy Statistics under Statistics to view all the protocols. Upon inspection, some protocols that stood out to me are HTTP and ICMP.

1. HTTP in general is unencrypted and insecure.

2. ICMP allow us to see ping message requests.

Inspecting HTTP packets

Going through the HTTP packets, we are only to be fake/useless flags that do not help us.

Inspecting ICMP packets

However, when we go through all the ICMP packets, we can see broken parts of the flag in the last few packets. We can piece together broken pieces of the flag together to get the full flag. An alternative method is to use the python library scapy to piece together the flag.

Flag: flag{ICMP_Exf1ltrat1on_C4n_B3_D3t3ct3d_By_Rul3Z}