Tags: wireshark python3.8 


### **[Original writeup](https://github.com/bias0/writeups/tree/main/csaw21-constela) with images (https://github.com/bias0/writeups/tree/main/csaw21-constela)**

### **Traffic Analysis**

They provide a *.pcap*, in which we can find a lot of diffrent traffic. After inspectioning a little the conversations, I found a TCP stream with an intersting repeated **hexadecimal string**.


That resulted in a **base64** message, decoded with the usual pipe of `echo "base64_message" | base64 -d` :

>I"enable_news_feed:ETTI" automatically_check_updates;TTI"usage_metrics_user_data;TTI"update_proxy_error;T0I"update_available;T0

**Unfortunatly, this led to nowhere :(**.

So I returned to the *.pcap* in order to find something else. In the **DNS messages** I noticed something strange. In a lot of traces with requests to a variety of sites, I ***c***saw (xD) some odd sites that appear one following the other, for example:

> JEdQR0dBLCwzMC4wLE4sMzUuMCxXLDcs.com

Then, as before, I decoded it from base64 taking the concatenation of the two strings excpet the *.com*.


This is a message format used for the **GPS satellite location** (*as hinted by the challenge description*) with fields as follows:

> GGA Global Positioning System Fix Data
> 123519 Fix taken at 12:35:19 UTC
> 4807.038,N Latitude 48 deg 07.038' N
> 01131.000,E Longitude 11 deg 31.000' E
> 1 Fix quality: 0 = invalid
> 1 = GPS fix (SPS)
> 2 = DGPS fix
> 3 = PPS fix
> 4 = Real Time Kinematic
> 5 = Float RTK
> 6 = estimated (dead reckoning) (2.3 feature)
> 7 = Manual input mode
> 8 = Simulation mode
> 08 Number of satellites being tracked
> 0.9 Horizontal dilution of position
> 545.4,M Altitude, Meters, above mean sea level
> 46.9,M Height of geoid (mean sea level) above WGS84
> ellipsoid
> (empty field) time in seconds since last DGPS update
> (empty field) DGPS station ID number
> *47 the checksum data, always begins with *```

I tried to put the coordinates in google maps but they are placed in the Atlantic Ocean with nothing to see.

After that I noticed that in the DNS streams all the times the two strings that can be concatenated appear, they have a slightly difference in the characters, meaning that there are more coordinates.

I collected all of them using a wireshark filter:

> `dns && (((ip.src == && (ip.dst == && ((frame.len==109) || (frame.len==105)) && dns.qry.name `

that takes all the frames that are coupled one after the other, without repeatin them with the dns request forwarding. Wireshark gives the possibility to export the result in a json file, in order to use it in a python exploit ([export](constela/values.json)).

## **Exploit**

In the exploit I took the values (**321 locations**) of longitude, latitude and altitude in order to plot them, and after a lot of different tries (even a 3D plot with all the elements, quite beautiful).Finally I maneged to get the right combiantion: **Latitude and Altitude**, both with a max range of 25 different elements.

## The result is a square, that if shrunk a bit gives a **QR CODE** that returns the flag!

> `flag{tH3_5chw1fTy_C0n3teLat10N}`

Original writeup (https://github.com/bias0/writeups/tree/main/csaw21-constela).