@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.
I’m at exactly the same spot. I could also use some study material.
@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.
I’ve checked about 5 different frameworks that might generate this “weird” traffic but no fingerprint matches the queries in the pcap file. If it is something custom made I don’t have enough clues to solve it.
@snowpetrel said:
I am also stuck on this challenge. Decoded multiple things, found false positives but the longer assembled part I believe contains the flag I can’t translate to anything that makes sense. If anyone has some hints or a reference to good study material I would greatly appreciate it.
I’ve checked about 5 different frameworks that might generate this “weird” traffic but no fingerprint matches the queries in the pcap file. If it is something custom made I don’t have enough clues to solve it.
Hmmmm…
Shameless bump, now at the last step. Swear on me mum if this is one of those “guess harder” challenges I’m gonna…
Circling back after some time off and still hitting wall. My modification didn’t work so probably have wrong script. Can anyone confirm this isn’t an obscure script? I’m focused on an old perl script at the moment.
There is a part that is easy to decode which will indicate whether you got a good script or not. Feel free to send me a pm with the script you use and I will check
I have found a script that if you replace a certain symbol with another, i think it matches the fingerprint given. The script contains some encryption to produce such a payload, do i need to bruteforce the pass with a dictionary? Am I on the right path? Hoping I do not spoil too much…
Can someone please provide me a hint for the decoding of the package? Not the short string, but the long one. I think I know which script is being used, but I’ve no idea how to set it all up or use it, since I’m new to all this stuff. At this point I’ll even learn more from someone just spoiling me than just looking at the package all day and not knowing what to do.
The Sans paper was interesting and helpful, but it didn’t provide the answers I’m looking for…
I read the SANS paper, tried to find the precedence of the script that generates the requests but still I’m missing how to decode it if anyone can PM me or give a hint…
I’m blocked on this one, I’ve been trying several tools but I didn’t find anyone that makes sense for the fqdn in the pcap, can anybody give me a pointer?
I found a walkthrough that provided the flag. I don’t know if you can call it a walkthrough, because the script it had didn’t work for me personally, but I’d like to be able to understand why what I tried didn’t work, and what I was missing. I would appreciate a PM to help me understand why my script wouldn’t run; I’m not that good with python scripts.
As some have said, finding the tool which generated (or receives) these packets is the key to this. If you don’t locate the right tool, you’ll never crack this without a truckload of jammy luck.
After hours of beating my head against a wall, I eventually realised that the combination of “init.” and txt records helped me find what I was looking for.
If you don’t feel like scripting, it is also possible to completely avoid it. It is possible to get the result by playing with the capture file, if you tweak it a little bit.