Scribd
Upload
49 views2 pages

Forensics-Proto Proto

The document describes a method for retrieving a flag from a server using UDP after an unsuccessful netcat connection. It details the analysis of UDP traffic and provides a Python script to send a request for 'flag.txt' to the server, which successfully retrieves the flag. The retrieved flag is swampCTF{r3v3r53_my_pr070_l1k3_m070_m070}.

Uploaded by

tuanduy25082005
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views2 pages

Forensics-Proto Proto

The document describes a method for retrieving a flag from a server using UDP after an unsuccessful netcat connection. It details the analysis of UDP traffic and provides a Python script to send a request for 'flag.txt' to the server, which successfully retrieves the flag. The retrieved flag is swampCTF{r3v3r53_my_pr070_l1k3_m070_m070}.

Uploaded by

tuanduy25082005
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Forensics - Proto Proto

Connection via netcat is unsuccessful, but there is a ping to the server, so we will find another way to connect.
Having opened and analyzed the pcap file, we can notice interesting UDP traffic:

We see that the client sent the [Link] command to the server and received the flag.

Let's find it in UDP traffic:

Let's also try to send "[Link]" to the server using UDP. We'll send the value of "[Link]" to the server as bytes. We'll copy
the bytes from the pcap file:

Our code will look like this (with comments for understanding):

import socket # Import the socket library to handle network communication

# Define the server address and port to connect to


server = "[Link]" # The hostname of the CTF challenge server
port = 44254 # The port number specified in the challenge (UDP port)

# Define the payload to request "[Link]" from the server


# - b"\x02" is the command code (possibly indicating a file request)

Forensics - Proto Proto 1


# - b"\x08" is the length of the filename (8 bytes for "[Link]")
# - b"\x66\x6c\x61\x67\x2e\x74\x78\x74" is "[Link]" in HEX (ASCII encoding)
payload = b"\x02\x08\x66\x6c\x61\x67\x2e\x74\x78\x74"

# Create a UDP socket object


# - socket.AF_INET specifies the IPv4 address family
# - socket.SOCK_DGRAM specifies UDP (datagram) protocol
s = [Link](socket.AF_INET, socket.SOCK_DGRAM)

# Send the payload to the server via UDP


# - sendto() sends the data to the specified (server, port) tuple
[Link](payload, (server, port))

# Receive a response from the server


# - recvfrom(4096) waits for up to 4096 bytes of data and returns the response and sender's address
response, addr = [Link](4096)

# Print the response in hexadecimal format for raw byte analysis


print("HEX response:", [Link]())

# Attempt to decode the response as ASCII text, ignoring any decoding errors
# - errors='ignore' ensures the script doesn't crash if non-ASCII bytes are present
print("Decoded response:", [Link](errors='ignore'))

# Close the socket to free up resources


[Link]()

Let's run this script:

We received the flag: swampCTF{r3v3r53_my_pr070_l1k3_m070_m070}

Forensics - Proto Proto 2

You might also like