ASIS CTF Finals 2014 - TicTac (Forensics 200)
In this challenge we receive a network dump consisting mainly on ICMP packets. At the beginning I thought about some ICMP tunnel but that was not the case, after some more digging I found some strange payload in some packets:
These payloads always start with 7069636b206d653a20 which decoded is “pick me: “…definitely promising! Let’s get all of them:
$ cat tictac.pcap | strings | grep -oE '7069636b206d653a20[0-9af]{4}' | uniq
7069636b206d653a204153
7069636b206d653a204953
7069636b206d653a205f36
7069636b206d653a206435
7069636b206d653a203461
7069636b206d653a203637
7069636b206d653a203635
7069636b206d653a203965
7069636b206d653a203435
7069636b206d653a206564
7069636b206d653a206265
7069636b206d653a203633
7069636b206d653a206262
7069636b206d653a206639
7069636b206d653a203039
7069636b206d653a206536
7069636b206d653a206231
7069636b206d653a203833
7069636b206d653a206120
(Note: Some strings are duplicate because ICMP reply packets contain the same payload of the request, therefore it’s better to use uniq in order to filter them out)
Now we need just a Python oneline to get the flag (where a is a string containing all the payloads):
>>> "".join([x.decode('hex').split('pick me: ')[1] for x in a.split()])
'ASIS_6d54a67659e45edbe63bbf909e6b183a '