Confidential

Sherlock was able to intercept the transmission of secret data passed between Moriarty's agents. Examine the traffic and try to find confidential information.

Download: sar2020_captured.pcap

Recon

PCAP seems to contain some FTP traffic, which retrieves a few files:

$ tshark -r captured.pcap | grep RETR
   99  15.198669 192.168.1.146 → 192.168.1.252 FTP 82 Request: RETR 4a56sd4a7s6d4a9sd.png
  721  18.027876 192.168.1.146 → 192.168.1.252 FTP 87 Request: RETR 4a7s6d4a9sd64as4d69asd.jpg
  810  21.083331 192.168.1.146 → 192.168.1.252 FTP 83 Request: RETR 56d5a86sd58a97s5da.png
 1071  23.094712 192.168.1.146 → 192.168.1.252 FTP 84 Request: RETR 7f47a6df8sadf4a8d4f.jpg
 1112  24.923426 192.168.1.146 → 192.168.1.252 FTP 82 Request: RETR a78d5f87a5897as5d.jpg
 1703  26.581193 192.168.1.146 → 192.168.1.252 FTP 68 Request: RETR mi6.mp4
17410  33.014122 192.168.1.146 → 192.168.1.252 FTP 74 Request: RETR database.kdbx

FTP traffic contains a Keepass database: database.kdbx that we can export from the pcap.

Bruteforce

Bruteforce the Keepass database with JTR + rockyou.txt;

$ keepass2john database.kdbx > crackme
$ ./john --wordlist=/home/dsc/hax/rockyou.txt crackme
$ ./john --show crackme
crackme:blowme!
1 password hash cracked, 0 left

Open Keepass database, use password blowme! and inspect the password of a person named "Andrea" to view the flag.

Flag

FLAG{bru73_p455w0rd_4ll_n16h7_l0n6}