Forensics -

PCAP

Challenge File: link

As the challenge name suggests it was related to wireshark and a challenge.pcap file was provided for analysis. Upon opening the file in Wireshark, there was TCP and HTTP traffic only. Now, this is where the Wireshark skills come into play. There might be various filters or methods to analyze this traffic.

You need to analyze the TCP traffic and TCP steams using Wireshark filters and in 3rd stream, there was a fake flag YCTF{It's_A_f4k3_f1ag}

Many participants reached this point and submitted this incorrect flag. However, the key was to examine the content above this flag and that was base64. The presence of the '==' sign also hinted at this encoding method.

There are multiple ways to find this base64 data like just searching flag format prefix YCTF in packet bytes which reveals the packet 40.

Upon decoding this base64 data using CyberChef, it generated a QR code image which needs to be decoded to get the flag.

Here comes another research part. If you notice the QR code shape it is a Rectangular Micro QR Code (rMQR Code) or you can reverse search that QR image on Google which also redirects to some rMQR code articles.

Upon searching rMQR decode, it gives a GitHub repo https://github.com/OUDON/rmqrcode-python

To read rMQR code, we can use QRQR app by DENSO WAVE.

Interesting Fact: The word "QR Code" is a registered trademark of DENSO WAVE Incorporated.

Update: John Hammond also uploaded a video on rMQR last week

Flag: YCTF{l0ng_l0ng_Qrrrr}

Challenge Credits: Yash Kumar

Hope you've learned new things from the challenge! 🌟📚