Writeup DGA - CTF - Time for something different

This article describes my solution for the 150-point challenge called “Time for something different”.

Introduction

Le serveur récoltant les candidatures à nos offres d’emploi en cyberdéfense a été attaqué.
Nous avons enregistré un fichier trace au format PCAP. Aidez-nous à comprendre ce qu’il s’est passé ?

If you want to test it yourself, data.pcap file is available here.

Start

We have a network capture that seems to have recorded some strange things.

When analyzing the capture with tshark, we notice that there is only one thing that changes: the time between each ICMP packet.

tshark -r data.pcap -T fields -e frame.time_delta
0.000000000
0.703011000
0.762847000
0.653169000
0.712814000
1.233287000
1.163554000
0.482726000
0.482477000
1.152388000
1.083260000
1.113100000
0.872616000
1.113221000
1.143160000
1.163288000
0.482574000
0.482596000
0.682909000
0.512060000
1.183053000
0.492873000
1.112238000
1.173303000
0.361740000
1.253465000

Headache

For having tried mathematical operations between the values, searching Morse code, transforming into ASCII the 0 and 1 before the dot, nothing worked… It turns out that retrieving the first 3 digits of each line, removing the 0 and ., gives something interesting.

tshark -r data.pcap -T fields -e frame.time_delta | cut -c -4 | sed 's/0\.//' | sed 's/\.//' | tail -n +2 | tr '\n' ' '
70 76 65 71 123 116 48 48 115 108 111 87 111 114 116 48 48 68 51 118 49 111 117 36 125

Once converted into hexadecimal, we have the following result.

FLAG{t00sloWort00D3v1ou$}

Here is the flag to validate this challenge.