Tags: forensic

Rating: 5.0

# Find the plain

[vithim.pcapng](./src/vithim.pcapng)

## Solution

Here I have the network traffic dump. I loaded it to Wireshark and used filter ftp || ftp-data as for in the task was said that data was sent with FTP.

![filter](./src/filter.png)

Next, I followed the TCP stream and found the password.

Now I need to find the data. So I looked at FTP-DATA packet.

![ftp-data](./src/ftp_data.png)

Here I see some Base64 encoded string. Decoding it...

![from_base](./src/from_base.png)

Got the URL.

![data](./src/data.png)

And now I have the data. But the system won't accept the flag KorNewbie{root_k459iki6m5j094m2lmkhjmi9527l81ml}. Seems like I did something wrong. Let's dig some deeper.

Looking at expert information I found this fascinating comment

![comment](./src/comment.png)

Ok, now I decrypt the data

![decrypt](./src/decrypt.png)

The flag must be KorNewbie{root_d459bdb6f5c094f2efdacfb9527e81fe}, although I can't check it because the CTF have been paused for a 15 hours by now =)

The flag is actually the cracked boss name concatenated with the ftp password root

![crack](./src/md5_cracked.png)

KorNewbie{root_IronDragon

Original writeup (https://github.com/0awawa0/CTF-Writeups/tree/master/Newbie%20CTF%202019/Find%20the%20plain).