back to blog

Wargames.MY CTF 2024 — Forensic: I Cant Manipulate People (50 pts)

December 1, 2024 ctfwargames-my-2024forensicspcapicmpscapy

Description

Partial traffic packet captured from hacked machine. Hint: Attacker too noob to ping not in sequence.

Solution

Opening traffic.pcap, there are many ICMP ping requests. The last byte of the first 4 packets spells WGMY — the flag format. So we extract the last byte of every ICMP payload:

from scapy.all import *

def extract(pcap_file):
    packets = rdpcap(pcap_file)
    for packet in packets:
        if ICMP in packet:
            raw_data = bytes(packet[ICMP].payload)
            if raw_data:
                print(chr(raw_data[-1]), end='')

extract("traffic.pcap")

Flag

WGMY{1e3b71d57e466ab71b43c2641a4b34f4}