This challenge was rather simple.  Here we had a tcpdump capture file with a lot of different http-requests.  A few of them were directed to 172.16.33.144:8010, including a GET request for “myfile”.

After extracting the file it turned out that it is another pcap file with some too long packets - making it impossible to be opened by wireshark or tcpdump. Fortunately, there are existing tools to automatically fix capture files, we used the online version of pcapfix (http://f00l.de/hacking/pcapfix.php).

A few looks showed that there where a lot of communication with a printer going on, including tcp-streams transferring postscript files. So, easy going: we just extracted all postscript files from their tcp-streams and looked at them.  They all contained text created with figlet (http://www.figlet.org/). More specifically, the visible content of the printed file were:

  • 1.gs: 1234567890

  • 2.gs: Do you know about figlet? FIGlet is a program for making large letters out of ordinary text.

  • 3.gs: ASIS_54ca36b2e3e49fc30e566c1de0589f38

And yes, that’s the flag!

-nsr