ws3
[misc]
ws3
What the... record.pcapng
- Download: actf2020-recording3.pcapng
Recon
Another PCAP file, this time we see some git related traffic.
- Open in Wireshark
- File -> Export Objects -> HTTP
This gives us the following files:
$ ls -la
total 120
448 Mar 14 02:25 .
128 Mar 14 02:21 ..
18068 Mar 14 02:21 git-receive-pack
52 Mar 14 02:21 git-receive-pack(1)
387 Mar 14 02:21 git-receive-pack(2)
52 Mar 14 02:21 git-receive-pack(3)
181 Mar 14 02:21 git-upload-pack
482 Mar 14 02:21 git-upload-pack(1)
19 Mar 14 02:21 refs%3fservice=git-receive-pack
19 Mar 14 02:21 refs%3fservice=git-receive-pack(1)
182 Mar 14 02:21 refs%3fservice=git-receive-pack(2)
182 Mar 14 02:21 refs%3fservice=git-receive-pack(3)
351 Mar 14 02:21 refs%3fservice=git-upload-pack
We see one big file, let's run binwalk on it:
$ binwalk -e git-receive-pack
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
183 0xB7 Zlib compressed data, default compression
342 0x156 Zlib compressed data, default compression
425 0x1A9 Zlib compressed data, default compression
And then running file on the extracted files:
$ file *
156: data
156.zlib: zlib compressed data
1A9: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, baseline, precision 8, 413x549, components 3
1A9.zlib: zlib compressed data
B7: ASCII text
B7.zlib: zlib compressed data
The 1A9 file seems to be a JPEG image, opening it gives us the flag.
Flag
actf{git_good_git_wireshark-123323}