This post spoils a CTF challenge … Don’t read if you want to try it !

Sogeti CTF was a qualifier for the Sogeti Cyber E-Scape. I could not find a team to participate in this event, so I played alone and finally managed to find a team for the final :)

[+] Presentation

We are given an .iso file (USB.iso), which is the USB stick dump in which the flag is hidden.

Let’s mount and explore it.

.PNG and notes.txt files are not important here, but let’s dig into

challenge_network.pcapng is a network capture, and challenge_network.keys contains keys usually used to decrypt HTTPS traffic.
Let’s analyse this network capture with Wireshark.

[+] Network analysis

After filtering ARP pollution, we can see that this capture is mainly with TLS (probably HTTPS) and IRC (a chat protocol) traffic.

As the IRC traffic is not encrypted, let’s analyse it first.

Right click > Follow TCP stream

By reading the chat (french baguette only), we can understand that the contains the flag. This archive is password protected and not directly accessible, but one of the IRC users downloaded it, and said that the archive password is ‘easy to guess’.
With the help of the previously discovered keys, we can decrypt the TLS traffic and find the archive.

Edit > Preferences > Protocols > SSL > Pre-Master-Secret secret log filename

This archive is protected by a simple password, so let’s try to bruteforce it with the rockyou.txt wordlist.

We have the password, so let’s flag now.

Flag : SCE{Th1s_1s_our_n3w_k3y-w0rd}

[+] Bye

Feel free to tell me what you think about this post :)