Epic Arc Mister You is willing to hire someone who can repeat his investigation. Arc starts from here

Part 1. Find the secret link in this conversation

Part 2. What's the md5 of the file being transferred?

Part 3. Find and solve it. It's up to you

Packets 100 - Epic Arc Pt.1



Download file epicark100.pcap.
Open with Wireshark: Menu: Files -> Export Objects -> HTTP -> Save All.

% grep key *
message:message=some%20shit%20happend%20%20this%20sunday.%20i%20have%20downloaded%20this%20(key-http%3A%2F%2Ftinyurl.com%2F9qj5r4r)&to=%23hacku
message(2):message=oh%2C%20sry.%20key%20is%20tinyurl.com%2F8pdox5a&to=%23hacku

Key is in message(2), that's also the link to download Packets 300 challenge.

Flag: tinyurl.com/8pdox5a

Packets 200 - Epic Arc Pt.2



Download file epicark200.
Open with Wireshark. Notice a "Request: SIZE /tcp_serv.beam" on frame 11, and the answer: 3048 in frame 12.
Data transfer begin at frame 15 "Request: RETR /tcp_serv.beam".
Go to frame 17, Follow TCP stream, Save. Notice it displays a "Entire conversation (3048 bytes)", so we are all good.

% md5sum tcp_serv.beam  
77f92edb199815b17e2ff8da36e200df  tcp_serv.beam

Flag: 77f92edb199815b17e2ff8da36e200df

Packets 300 - Epic Arc Pt.3



Download file epicark300.
Open with Wireshark: Menu: Files -> Export Objects -> HTTP -> Save All.
We find a ctf.exe file, we need to reverse it. Here is a summary of what it is doing:

  • - receive a 8 bytes key from the remote server : 159.253.22.174:3137
  • - key ^= '_hackme_'
  • - XOR "FlagRequest:omkesey" with key
  • - send this to the server
  • - receive the flag, XORed with key

At first I believed the flag would be within the provided packets.
Let's follow the TCP stream:

pkt300_screenshot1.png
Extract the red part and xor it with "FlagRequest:omkesey", we obtain the key.
Now we xor the last blue part with that key and obtain ... "someflag". #FAIL.

Let's launch ctf.exe with wine, and sniff it with wireshark. We obtain the stream below:

pkt300_screenshot2.png
Same process but this time we obtain: "Hire_m3_mister_U".

Flag: Hire_m3_mister_U