Wireshark mailing list archives
Re: Knowing What Exploit from .pcap File
From: Sake Blok <sake () euronet nl>
Date: Fri, 5 Aug 2011 10:57:59 +0200
On 5 aug 2011, at 05:33, Zaki Akhmad wrote:
On Thu, Aug 4, 2011 at 8:34 PM, Marcelo Mandolesi <rolldabass () gmail com> wrote:Can you elaborate on this particular CTF? Perhaps provide us a link to it?Well, it's OWASP AppSecUSA 2011 CTF #1[1] and the .pcap file is here[2]. Although they had provided the answer[3] I still couldn't understand how to identify the exploit.
The whole idea behind a "Capture The Flag" is that the flag is sort of hidden and that it takes skill to find it. I'm no web security expert, so I am also not able to recognize the exploit (without taking time to delve into it). But some simple steps that get you on the way are: 1) Have a look at which conversations are in the file (two TCP conversations in this case) 2) Do a follow-tcp-stream on all of them and look at the results, this will show you that - Host .50 is requesting some webcontent from host .5 - Host .50 is using port 4444 on host .5 which seems to offer a form of cmd shell in which a file is being retrieved 3) Going back to the webcontent being retrieved, you can see there is a script being run and that the program code of the script is obscured in some way. So... things to look at are 1) Is port 4444 a known port of some exploit? 2) Can you "decrypt" the javascript code and does that point you in the right direction 3) etc. Hope this helps, Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Knowing What Exploit from .pcap File Zaki Akhmad (Aug 03)
- Re: Knowing What Exploit from .pcap File Marcelo Mandolesi (Aug 04)
- Re: Knowing What Exploit from .pcap File Zaki Akhmad (Aug 04)
- Re: Knowing What Exploit from .pcap File Sake Blok (Aug 05)
- Re: Knowing What Exploit from .pcap File Zaki Akhmad (Aug 04)
- Re: Knowing What Exploit from .pcap File Marcelo Mandolesi (Aug 04)