🏳️
Bag of Flags
  • Home
  • 2023
    • 🅿️picoCTF 2023
      • money-ware
      • repetitions
      • two-sum
      • ReadMyCert
      • rotation
      • hideme
      • PcapPoisoning
      • who is it
      • Reverse
      • timer
      • Safe Opener 2
      • findme
      • MatchTheRegex
      • SOAP
    • 🐦magpieCTF 2023
      • Space Plan
      • Space Exploration
      • So Meta
      • There is no flag
      • Momma says to play fair
      • Rubis
      • What is the password?
      • Eavesdropper
      • Shredded
      • Missing Flag
      • This outta be large enough right?
      • No Password Here
      • Chocolate Chips with Zero-G
      • Education Comes First
    • 🌴ISSessions CTF 2023
      • Basic Permissions
      • Crack Me
      • File Detective
      • Word Vomit
      • Fileception
      • Coding Time
      • Ghost File
      • CryptoTools1
      • CryptoTools2
      • 1337
      • ROT++
      • RunedMyDay
      • RSA_2
      • The Man Who Sold the World
      • VaultChallenge
      • Lost Media
      • Decontamination
      • Decade Capsule
      • Password in A Haystack
  • 2022
    • 🏁UW CTF S22
      • 0s and 1s
      • simple image
      • Helikopter
      • Meow
      • Google Form
      • Strings, literally
      • WASM
      • Audio
      • Pwn0
      • YATD
      • steg
      • Passwords
      • Vitalik
  • Practice
    • 🧠CryptoHack
      • Introduction
        • Finding Flags
        • Great Snakes
      • General
        • ASCII
        • Hex
        • Base64
        • Bytes and Big Integers
        • XOR Starter
        • XOR Properties
        • Favourite byte
        • You either know, XOR you don't
        • Greatest Common Divisor
Powered by GitBook
On this page
  • Description
  • Where's the Cookies?
  • Flag
  1. 2023
  2. magpieCTF 2023

Eavesdropper

PreviousWhat is the password?NextShredded

Last updated 2 years ago

Description

Hello N-Team,

According to recon, one of the captives has been sending flags discretely to our endpoints, and the key flag is going to have something to do with her favourite food. Unfortunately, you just can't remember what it was...

She's got a sweet tooth, so research has determined that it has to do with some kind of dessert, like cookies or cakes. What was her favourite flavour? vanilla? oreo? chocolate chip? Or maybe pistachio?

Good luck, HQ

Where's the Cookies?

We're given a network packet, which we can open with Wireshark

There are 120000 packets! Way too many to search through, so let's try examining the packets

  • Right Click > Follow > TCP Stream

We can see what looks like a flag in a magpie{...} format, but what's inside the curly braces isn't readable text. In fact, if we iterate through the other streams, we see that they all have what appears to be a flag, with random characters in it

As mentioned by the description, the captive has been sending many flags, however there is only one "key flag", which is what we will likely need to find

Something I noticed is that there are HTTP POST requests which sends a request with a flag, then there are a bunch of 405 Not Allowed responses, which implies these requests do not contain the key flag. Thinking that the key flag would be the one that allows for a successful response, I tried CTRL-F "200" and "Success", but no packets were found

Of course manually checking each packet would be impossible, so I needed a way to extract all the possible flags then search for the supposed key flag. After some Googling, I learned that you can run the strings comment on a .pcapng file to get its contents, then we can run grep to extract all the flags

strings nothing_to_see_here.pcapng | grep -i magpie > out

We're told that the contents of the flag have something to do with cake, cookies, chocolate, or some sort of flavored desert, so let's try CTRL-F with educated guesses:

Flag

magpie{chOc0LatE_Ch1p_c0Ok1e5}

🐦
Found chocolate chip cookies
🍪