Tags: ciphers forensics encryption 

Rating:

A PCAP file was provided for analysis named net_756d631588cb0a400cc16d1848a5f0fb.pcap.  

Opening the file in Wireshark and performing a string search for "flag{" (Filter Flag of Edit --> Find Packet with String/Packet bytes selected) yields some code and text in packet 60.  Following the TCP stream (right click --> Follow TCP Stream) formats the contents nicely:



Analysis of the encode function shows that this cipher works as follows:

1.  It takes the plaintext and converts it to base 64 first, then appends a "2" in front of the ciphertext it creates.
2.  It then randomly chooses between using the rot-13 shift cipher, base 64 and a Caesar cipher and applies this to the ciphertext (including the "2" that was appended)  It then appends the number 1, 2 or 3 to the new ciphertext (corresponding to its position in the enc_ciphers array)
3.  Step two repeats until cnt reaches the value it was given by the function call (of which 50 is default).

Now, to reverse the process, evaluate the first character of the ciphertext and apply the appropriate decode/shift code to it.  A b64decode function has already been provided, so this can be used whenever a 2 is seen as the first character of the string.  Rot-13 is also easy, since the same shift is applied to get plaintext back.  For the Caesar cipher, all that is needed is to change the shift value appropriately:
<span>


So now, the decoder will work as follows:

1.  Check the first character of the ciphertext string.
2.  Omitting the first character: apply Rod-13 if the character is "1", apply base 64 decoding if the character is "2", and apply a shift of 23 if the character is "3".  Store this value as the new ciphertext.
3.  Repeat steps two and three until the leading character is not "1", "2" or "3".

One possible solution is therefore:

</span><span>

Using the long string that follows the code in the TCP Stream as input:

</span><span>

Finally, running the script, the flag turns out to be:
</span>