Tags: pcap
Rating:
#the stuff
We are given a pcap with a lot of Bing searches about why cilantro tastes like soap. Opening the stream in Wireshark, we notice that there are some SMTP packets at the top, one of which mentions "the stuff".
If we right-click on an SMTP packet and click "Follow TCP Stream" we can read the entire email:
```
220 wren.wv.cc.cmu.edu Python SMTP proxy version 0.2
EHLO [192.168.120.138]
502 Error: command "EHLO" not implemented
HELO [192.168.120.138]
250 wren.wv.cc.cmu.edu
MAIL FROM:<[email protected]>
250 Ok
RCPT TO:<[email protected]>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Message-ID: <1460851088.7821.1.camel@ubuntu>
Subject: The Stuff
From: John Doe <[email protected]>
To: [email protected]
Date: Sat, 16 Apr 2016 16:58:08 -0700
Content-Type: multipart/mixed; boundary="=-zAAY+FBv9yZgwoZy4KHy"
X-Mailer: Evolution 3.10.4-0ubuntu2
Mime-Version: 1.0
--=-zAAY+FBv9yZgwoZy4KHy
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Yo, I got the stuff.
--=-zAAY+FBv9yZgwoZy4KHy
Content-Type: application/zip; name="flag.zip"
Content-Disposition: attachment; filename="flag.zip"
Content-Transfer-Encoding: base64
UEsDBBQACQAIAHGBkEjDELQcOSoAAFk3AAAIABwAZmxhZy5qcGdVVAkAA6XGElfKxhJXdXgLAAEE
6AMAAAToAwAAcu3qNOrf/ikOGiuwzSTfpxNkjsV6RU5ygGcK3CdWBI5s486P2jSZZMCE1dsgcB5C
...
... <more stuff here>
...
Z1VUBQADpcYSV3V4CwABBOgDAAAE6AMAAFBLBQYAAAAAAQABAE4AAACLKgAAAAA=
--=-zAAY+FBv9yZgwoZy4KHy--
.
250 Ok
QUIT
221 Bye
```
The base-64 encoded text seems to be an attachment called `file.zip`. Once we base-64 decode the string back to a zip file and try to open it, we realize that it is password-protected.
Going back to Wireshark, we use the filter `smtp` to filter out non-SMTP packets. We then notice a second SMTP stream:
```
220 wren.wv.cc.cmu.edu Python SMTP proxy version 0.2
EHLO [192.168.120.138]
502 Error: command "EHLO" not implemented
HELO [192.168.120.138]
250 wren.wv.cc.cmu.edu
MAIL FROM:<[email protected]>
250 Ok
RCPT TO:<[email protected]>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Message-ID: <1460851191.7821.2.camel@ubuntu>
Subject: Wait, hang on
From: John Doe <[email protected]>
To: [email protected]
Date: Sat, 16 Apr 2016 16:59:51 -0700
Content-Type: text/plain
X-Mailer: Evolution 3.10.4-0ubuntu2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Yo, you'll need this too: super_password1
.
250 Ok
QUIT
221 Bye
```
The password for the zip is `super_password1`, and opening the zip yields the image:
![flag](https://github.com/TechSecCTF/writeups/blob/master/plaidctf2016/thestuff/flag.jpg)
The flag is: `PCTF{LOOK_MA_NO_SSL}`.