ASIS CTF Finals 2015 - Big Lie (Forensics 100)

ASIS CTF 2015 Finals just took place over the weekend of 10,11 October 2015. The finals is open to all, however only qualified teams will be allowed to win the prizes. NUS Greyhats took part in it and solved a few challenges, this is our write-up for some of the challenges from ASIS CTF 2015 Finals.

Big Lie

Points:100 Category: Forensics

Find the flag.

MD5: c3037269053e61e10a2a2457051519c8


Our solution

We are given a pcap file and asked to find the flag. Opening up the pcap file with Wireshark, we then see many HTTP traffic conversations in it.

So, the first thing to do is to filter away redundant packets. I am only looking for HTTP requests URI with the word “asis” in it. http.request.uri contains asis

We can see this this weird piwik.php request made to a HTTP server, and there seems to be a pastebin url in the GET request. http://0bin.asis.io/paste/Vyk5W274#1L8OT3oT7Xr0ryJlS5ASprAqgsQysKeebbSK90gGyQo

Looking at all similar conversations, I found 3 such conversations.

The first one is: http://0bin.asis.io/paste/TINcoc0f#-krvZ7lGwZ4e2JQ8n+3dfsMBqyN6Xk6SUzY7i0JKbpo

The second one is: http://0bin.asis.io/paste/Vyk5W274#1L8OT3oT7Xr0ryJlS5ASprAqgsQysKeebbSK90gGyQo

The third one which gave us our flag is: http://0bin.asis.io/paste/1ThAoKv4#Zz-nHPnr0vGGg3s/7/RWD2pnZPZl580x9Y2G3IUehfc

Throwing this into a text editor gives me:

And we have our flag: ASIS{e29a3ef6f1d71d04c5f107eb3c64bbbb}

comments powered by Disqus