# 🚩YCTF0x01

### Forensics -  <a href="#forensics" id="forensics"></a>

#### PCAP <a href="#pcap" id="pcap"></a>

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2F03TXveWXW81gtLQfJ9Ld%2Fimage.png?alt=media&#x26;token=3038f396-a8b2-4fed-bf46-b884b6de71c4" alt="" width="342"><figcaption></figcaption></figure>

Challenge File: [link](https://drive.google.com/file/d/1AGOsYbu8Ypw1FtEHzn2V88OLJGl70n6e/view?usp=sharing)

As the challenge name suggests it was related to wireshark and a challenge.pcap file was provided for analysis. Upon opening the file in Wireshark, there was TCP and HTTP traffic only. Now, this is where the Wireshark skills come into play. There might be various filters or methods to analyze this traffic.

You need to analyze the TCP traffic and TCP steams using Wireshark filters and in 3rd stream, there was a fake flag `YCTF{It's_A_f4k3_f1ag}`

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FYWFhGFhCNoknuuvirdcR%2Ftcp3.PNG?alt=media&#x26;token=75b3c31f-e7b5-455d-842e-d3e4b89178b2" alt=""><figcaption><p>TCP Stream </p></figcaption></figure>

Many participants reached this point and submitted this incorrect flag. However, the key was to examine the content above this flag and that was base64. The presence of the '==' sign also hinted at this encoding method.

There are multiple ways to find this base64 data like just searching flag format prefix YCTF in packet bytes which reveals the packet 40.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2Fwo96ssAP1hIegK2eXCt4%2Fpacketbyptes.PNG?alt=media&#x26;token=56b993e0-91b9-44ab-992e-4bc83d3700c2" alt=""><figcaption><p>Packet bytes filter</p></figcaption></figure>

Upon decoding this base64 data using CyberChef, it generated a QR code image which needs to be decoded to get the flag.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FbSyZPRq2KbtE0DZSmnW9%2Fimage.png?alt=media&#x26;token=45bf7ca2-1fce-40b4-9ee2-822e9d638412" alt=""><figcaption><p>CyberChef Output</p></figcaption></figure>

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FdOHCdnX0LAmFeNVEl2o5%2Fimage.png?alt=media&#x26;token=311c1f2d-91f4-49b7-9049-17ded6e6e41c" alt=""><figcaption><p>Generated rMQR</p></figcaption></figure>

Here comes another research part. If you notice the QR code shape it is a Rectangular Micro QR Code (rMQR Code) or you can reverse search that QR image on Google which also redirects to some rMQR code articles.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2Fb51s2isc7Ml6TaLBL8sf%2Fimage.png?alt=media&#x26;token=94db5be8-e4af-428f-ae6d-c5dc0f09cbe9" alt=""><figcaption></figcaption></figure>

Upon searching rMQR decode, it gives a GitHub repo <https://github.com/OUDON/rmqrcode-python>

To read rMQR code, we can use [QRQR](https://www.denso-wave.com/en/system/qr/product/reader.html) app by DENSO WAVE.

Interesting Fact: The word "QR Code" is a registered trademark of **DENSO WAVE** Incorporated.

Update: John Hammond also uploaded a [video](https://youtu.be/J8S-NJ1GTn4?si=NGmk1PbmuaWh3gEV) on rMQR last week

Flag: `YCTF{l0ng_l0ng_Qrrrr}`

Challenge Credits: [Yash Kumar ](https://www.linkedin.com/in/yash024)

Hope you've learned new things from the challenge! 🌟📚