You are given a cap file that contains wireless traffics in a location. Find the flag! :-)
We are given a pcap to start our journey. Here's a screen shot of what it generally looks like
It's a bunch of WiFi Traffic. Initially, we can only see a few beacon packets, some null packets, some acknowledgment packets, and of course, data packets.
However, if we look at the data packets, we will find something that will slow us down a bit:
Notice how the "protected" bit is set. This means that the data in these packets are encrypted. Wireshark can help us decrypt, however, but this requires us to have a key.
Lets look a bit further. I'm going to filter traffic by TCP.
Interesting! We see that a file named
rom-0 is being downloaded over unencrypted HTTP. Extracting the file with Wireshark, we can start to do analysis on the file.
When I have an unknown file, I like to use a tool called
binwalk to scan for signatures.
Well, theres defiantly something there. After some googling, it turns out that the
rom-0 file can be extracted from certain routers and used to extract a password. That might be what we need to get traffic decrypted.
Countless tools exist to decompress this type of file. Using this website, I was able to extract a few strings. The string I got out of it was
Rome4040. That's a bit interesting since a SSID beacon at the start of the capture was for an AP named
Rome. Lets try decrypting traffic now.
Using Wireshark, I went to prefrences->protocols->IEEE 802.11. Make sure the checkbox is checked for "enable decryption". Next, add the decryption key and the SSID like this:
Note when you do this, you may need to go to view->reload to make sure packets were decrypted.
Filtering by TCP again, we can start to go through the traffic. There are a few points where it hits Google. However, there is an interesting
Aha! A pastebin submission. Lets take a look at the post data:
This looks like hex encoded ASCII! The value that was posted is:
Decoding it to ASCII we get:
Nice!! Submit the flag :)