NDH 2018 / Forensic (50 pts).

NDH 2018 - ICMP

Event Challenge Category Points Solves
Nuit du hack 16 ICMP Forensic 50 ¯\(ツ)


This forensic / network challenge is made by WorldCitizen for the 16th edition of Nuit du hack (NDH). In this task we are going to deal with ICMP packet in a pcap. You can find the ressource here: analysis.pcap


As I said before, we got a pcap file with approximatly 50 icmp packets. In each packet we can see base64 encoded data.

Then with a little on-liner based on tshark, I was able to get the flag :-)


So, I start with this pcap:

Fig 1 - ICMP packet with base64 encoded data

I just wanted to get all icmp request, so to do that I… Filtered on IP source instead of read the manual :-D

But it worked with this command:

tshark -2 -r analysis.pcap -R "ip.src ==" -T fields -e data | xxd -r -p

Fig 2 - Get the base64 !

The xxd command is here to unhex the content. In fact, tshark will give the hexadecimal value of the field data.


Then, time to flag:

tshark -2 -r analysis.pcap -R "ip.src ==" -T fields -e data | xxd -r -p | base64 -d | grep 'ndh'

Fig 3 - w00t \o/