Hello friends , welcome back to my blog. Yesterday i played wtfCTF with my team TamilCTF and we secured 4th place.
Score : 500
Description : An attacker fed Evil data into network using spoon. Can you retrieve the data fed into the network?
Hint : udp
We are given with a pcap file ( Network Traffic Capture ). As hint suggests i looked the udp traffic , at first i wasn’t able to see any actual UDP packets , most of them were either QUIC or DNS. Later i filtered the result by size , wow now we can see many UDP packets.
No wonder it didn’t showed up at first , there is no payload section in these packets. Basically they are empty UDP packets. If there is no payload where could be the data !?.
Back to description , An attacker fed Evil data into network using spoon. I didn’t had any idea what this means , my teammate Game0v3r said it could be Spoon Language. Ok , lets assume the data is in spoon language , Spoon Language consist of 0s and 1s just like binary.
I looked through the traffic again , found a weird pattern. Some packets have RESERVED BIT ON and ) in the hex view and others don’t have. Still i wasn’t able to figure out the situation.
RESERVED BIT :-
NO RESERVED BIT :-
This time my teammate Jopraveen suggested that ) could be 1 and others 0. After spending some time in Scapy interactive shell , i got the logic , the RESERVED BIT flag had string evil and others didn’t had , so evil = 1 and others 0.
Final script :-
from scapy.all import *
binary_data = ""
pkts = rdpcap("captured.pcapng")
for pkt in pkts:
if UDP in pkt:
if not IP in pkt:
continue
if pkt[IP].src == "153.15.101.39":
if pkt[IP].flags == 'evil':
binary_data += "1"
else:
binary_data += "0"
print(binary_data)
# Decode it using https://www.dcode.fr/spoon-languageFlag : wtfctf{r3v3rs3_b1t5_4r3_v3ry_1mp0rt4nt_4nd_3v1l}