NDH 2018 - ICMP
|Nuit du hack 16||ICMP||Forensic||50||¯\(ツ)/¯|
This forensic / network challenge is made by WorldCitizen for the 16th edition of Nuit du hack (NDH). In this task we are going to deal with ICMP packet in a pcap. You can find the ressource here: analysis.pcap
As I said before, we got a pcap file with approximatly 50 icmp packets. In each packet we can see base64 encoded data.
Then with a little on-liner based on
tshark, I was able to get the flag :-)
So, I start with this pcap:
Fig 1 - ICMP packet with base64 encoded data
I just wanted to get all
icmp request, so to do that I… Filtered on IP source instead of read the manual :-D
But it worked with this command:
tshark -2 -r analysis.pcap -R "ip.src == 192.168.1.24" -T fields -e data | xxd -r -p
xxd command is here to unhex the content. In fact, tshark will give the hexadecimal value of the field data.
Then, time to flag:
tshark -2 -r analysis.pcap -R "ip.src == 192.168.1.24" -T fields -e data | xxd -r -p | base64 -d | grep 'ndh'