Tags: wireshark python3.8
### **[Original writeup](https://github.com/bias0/writeups/tree/main/csaw21-constela) with images (https://github.com/bias0/writeups/tree/main/csaw21-constela)**
### **Traffic Analysis**
They provide a *.pcap*, in which we can find a lot of diffrent traffic. After inspectioning a little the conversations, I found a TCP stream with an intersting repeated **hexadecimal string**.
That resulted in a **base64** message, decoded with the usual pipe of `echo "base64_message" | base64 -d` :
**Unfortunatly, this led to nowhere :(**.
So I returned to the *.pcap* in order to find something else. In the **DNS messages** I noticed something strange. In a lot of traces with requests to a variety of sites, I ***c***saw (xD) some odd sites that appear one following the other, for example:
Then, as before, I decoded it from base64 taking the concatenation of the two strings excpet the *.com*.
This is a message format used for the **GPS satellite location** (*as hinted by the challenge description*) with fields as follows:
> GGA Global Positioning System Fix Data
> 123519 Fix taken at 12:35:19 UTC
> 4807.038,N Latitude 48 deg 07.038' N
> 01131.000,E Longitude 11 deg 31.000' E
> 1 Fix quality: 0 = invalid
> 1 = GPS fix (SPS)
> 2 = DGPS fix
> 3 = PPS fix
> 4 = Real Time Kinematic
> 5 = Float RTK
> 6 = estimated (dead reckoning) (2.3 feature)
> 7 = Manual input mode
> 8 = Simulation mode
> 08 Number of satellites being tracked
> 0.9 Horizontal dilution of position
> 545.4,M Altitude, Meters, above mean sea level
> 46.9,M Height of geoid (mean sea level) above WGS84
> (empty field) time in seconds since last DGPS update
> (empty field) DGPS station ID number
> *47 the checksum data, always begins with *```
I tried to put the coordinates in google maps but they are placed in the Atlantic Ocean with nothing to see.
After that I noticed that in the DNS streams all the times the two strings that can be concatenated appear, they have a slightly difference in the characters, meaning that there are more coordinates.
I collected all of them using a wireshark filter:
> `dns && (((ip.src == 127.0.0.1) && (ip.dst == 127.0.0.53))) && ((frame.len==109) || (frame.len==105)) && dns.qry.name `
that takes all the frames that are coupled one after the other, without repeatin them with the dns request forwarding. Wireshark gives the possibility to export the result in a json file, in order to use it in a python exploit ([export](constela/values.json)).
In the exploit I took the values (**321 locations**) of longitude, latitude and altitude in order to plot them, and after a lot of different tries (even a 3D plot with all the elements, quite beautiful).Finally I maneged to get the right combiantion: **Latitude and Altitude**, both with a max range of 25 different elements.
## The result is a square, that if shrunk a bit gives a **QR CODE** that returns the flag!