Tags: pcap
Rating:
# Release The Crackin'! | Traffic Analysis
[Original writeup](https://github.com/TheArchPirate/ctf-writeups/blob/main/DEADFACE/traffic-analysis/release-the-crackin.md)
## Description
- - -
Luciafer cracked a password belonging to the victim. Submit the flag as: flag{password}.
Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.
## Location of PCAP
- - -
You can find a copy of this pcap in my writeups repository. If you would like a copy, please go to:
ctf-writeups/DEADFACE/files/PCAP/pcap-challenge-final.pcapng
## Solution
- - -
We know that the service being used to log in is going to ask for a password so we can search the file for the string "password". Applying this filter and searching through a few of the packets we see that someone is using the cgeschickter account and trying to brute force the password with rock you over FTP.
![](https://raw.githubusercontent.com/TheArchPirate/ctf-writeups/main/DEADFACE/images/ftp-bruteforce.png)
Now that we know the user is using FTP we can search for the FTP success response (230) to see the password that was successful.
Wireshark filter:
```
ftp.response.code == 230
```
Now we can right click on this and use the options Follow > TCP Stream. This will present a conversation including the failed attempts with the successful one at the end.
![](https://raw.githubusercontent.com/TheArchPirate/ctf-writeups/main/DEADFACE/images/ftp-success.png)
we now have the password that makes the flag.
## flag
- - -
flag{darkangel}