Tags: misc wireshark 

Rating:

# Backup (misc)
Writeup by: [xlr8or](https://ctftime.org/team/235001)

As part of this challenge a `pcap` file was provided, that can be inspected by wireshark.
Immediately it can be noticed that there are some `telnet` packets in the capture, this is always interesting, since telnet is not encrypted by default.

The telnet capture reveals the username and password that was used for authentication:
```
Login incorrect
1337router login: rroooott

Password: sup3rs3cur3
```

From this it can be noted that the **root** use authenticated with password **sup3rs3cur3**.
Further it can be seen that an ftp server is started during the telnet session:
```
<< Welcome to 1337router! >>
Last login: Wed Jan 25 17:00:37 UTC 2023 from 192.168.56.3 on pts/2
.[?2004h.]0;root@1337router: ~.root@1337router:~# aaccttiivvaattee__ffttpp

.[?2004l
.ftp server activated
.[?2004h.]0;root@1337router: ~.root@1337router:~# ..[?2004l
.
logout
```

Therefore the capture file can be checked for FTP packets:

```
220 Welcome to 1337 FTP service.
USER anonymous
331 Please specify the password.
PASS xxx
230 Login successful.
SYST
215 UNIX Type: L8
PORT 192,168,56,3,188,253
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,56,3,213,243
200 PORT command successful. Consider using PASV.
RETR backup.zip
150 Opening BINARY mode data connection for backup.zip (411 bytes).
226 Transfer complete.
QUIT
221 Goodbye.
```

At the bottom of the commands we see that the client requests binary mode and then a transfer of `backup.zip`. We can use wireshark to extract this zip file, by going into `File > Export Objects > FTP-DATA` and exporting the only available option in the dialog.

This will export `backup.zip` for us, and the same password that was used for the authentication of the root user can be used to extract `secrets.json` from this zip file.

And the flag is contained in `secrets.json`