CTF Writeup – EBE – LA CTF 2023

CTF Writeup by Frigyes

Introduction

This challenge was originally featured on LA CTF 2023

Category: misc
Description: I was trying to send a flag to my friend over UDP, one character at a time, but it got corrupted! I think someone else was messing around with me and sent extra bytes, though it seems like they actually abided by RFC 3514 for once. Can you get the flag?

Initial findings

With the challenge, we get a Wireshark packet capture file named EBE.pcap

In this capture, there are 308 UDP frames, all containing one (1) single character as data. We know the flag format is lactf{FLAG_TEXT}, so we can discriminate between the first few flag and extra frames. It was at this point I noticed something curious: the reserved bit of all extra frames is set, while the frames containing the flag have it not set.

You could make a filter for that!

Where the reserved bit is not set, we find our flag.

Making the filter

This was a learning experience for me too, as I have not worked with Wireshark before, after some quick googling, I found you can build filters of most kinds very easily. In this case, I selected the reserved bit from flags of the internet protocol, and filtered for not set.

ip.flags.rb != 1

Quick and easy filter

Decoding the flag

After I had that, I just copied the data fields of each frame, which are hex numbers for ASCII characters, into a hex to ASCII converter. The end result is:

hex: 6C 61 63 74 66 7B 33 56 31 4C 5F 38 31 37 5F 33 78 66 31 6C 37 52 34 37 31 30 4E 5F 34 5F 37 48 33 5F 57 31 4E 5F 35 31 44 34 33 63 38 30 30 30 30 33 34 64 30 63 7D

which translates into:

lactf{3V1L_817_3xf1l7R4710N_4_7H3_W1N_51D43c8000034d0c}

If you enjoyed this CTF writeup, check out other writeups I wrote!

Leave a Reply

Your email address will not be published. Required fields are marked *