Forensics - Whisper
Not all voices are loud. Not all truths are spoken. Some whispers are meant only for those who truly hear. Flag Format: VishwaCTF{example_flag}
Last updated
Not all voices are loud. Not all truths are spoken. Some whispers are meant only for those who truly hear. Flag Format: VishwaCTF{example_flag}
Last updated
A Wispers.pcapng file was attached with this challenge.
This is what I usually do when I get pcap challenges. I first go to export objects and check if there are any http or ftp data. Surprisingly under the ftp data there was a gotyou.zip
So I tried unzipping it to get the contents inside. But it asked for a password.
Next, what I usually do is to check the protocol hierarchy for a specific protocol packets or data packets. We had a bunch of data packets indeed.
Viewing the TCP data stream of each packet gave use two unique poem like para phrases.
Para phrase 1:
Para phrase 2:
It took a bit of time to get the password from this. But it was a guessy way to find the password from these 2 paras. It was the alternate letters combined from each paragraph. So, the password to crack the gotyou.zip was just L0CALP@THWY.
The gotyou folder had 4 jpg files. I opened the first three jpgs, used strings, binwalk, exiftool but couldn’t find any useful information. The 4th jpg named hehehe.jpg wasn’t a jpg file opening it showed file unsupported. So, running file command against it said it was a elf executable.
Then I tried strings to it.
Analyzing the strings made me confirm that it is a PyInstaller packed ELF file. Proof:
⇒ Presence of Python Standard Library Modules:
⇒ PyInstaller-Specific Imports:
⇒ Shared objects and also pyinstaller archive files
Found an interesting tool online called pyinstxtractor to decompile and find if something is useful.
It is basically a python-based tool. Running it against the hehe.jpg created a folder of decompiled files.
That hehehe.pyc felt sus. So did strings to it. Boom! the flag was right there hardcoded in the .pyc file.
