Forensics - Whisper

Not all voices are loud. Not all truths are spoken. Some whispers are meant only for those who truly hear. Flag Format: VishwaCTF{example_flag}

Solution :

A Wispers.pcapng file was attached with this challenge.

This is what I usually do when I get pcap challenges. I first go to export objects and check if there are any http or ftp data. Surprisingly under the ftp data there was a gotyou.zip

So I tried unzipping it to get the contents inside. But it asked for a password.

Next, what I usually do is to check the protocol hierarchy for a specific protocol packets or data packets. We had a bunch of data packets indeed.

Viewing the TCP data stream of each packet gave use two unique poem like para phrases.

Para phrase 1:

Para phrase 2:

It took a bit of time to get the password from this. But it was a guessy way to find the password from these 2 paras. It was the alternate letters combined from each paragraph. So, the password to crack the gotyou.zip was just L0CALP@THWY.

The gotyou folder had 4 jpg files. I opened the first three jpgs, used strings, binwalk, exiftool but couldn’t find any useful information. The 4th jpg named hehehe.jpg wasn’t a jpg file opening it showed file unsupported. So, running file command against it said it was a elf executable.

Then I tried strings to it.

Analyzing the strings made me confirm that it is a PyInstaller packed ELF file. Proof:

⇒ Presence of Python Standard Library Modules:

⇒ PyInstaller-Specific Imports:

⇒ Shared objects and also pyinstaller archive files

Found an interesting tool online called pyinstxtractor to decompile and find if something is useful.

It is basically a python-based tool. Running it against the hehe.jpg created a folder of decompiled files.

That hehehe.pyc felt sus. So did strings to it. Boom! the flag was right there hardcoded in the .pyc file.

Flag: VishwaCTF{h1dd3n_l0c4l_traff1c}