PoliCTF 2012 – Forensics 100

This challenge (Forensics 100) was a little bit weird but solvable. It said:

Retrieve the key.

Remember to write it in capital letters.

Attachment:45141181944a722.tbz2.gpg (password: 310b44aab74809c6ec9dd026b9e8e59a5e401083 )

After unpacking the attachment we got a challenge.pcap file. Opening it using wireshark presented us the capture of a SSH session to a (probably) Juniper device. Some Juniper devices tend to use SSHv1 until told otherwise, so the first shot would be to somehow break the encryption and use the provided key as flag. There is a great tool for analyzing packet captures called Chaosreader, we use that to meet with the pcap file in private. Unfortunately, just submitting the extracted data did not work out, but half way through we got a perl script named session_0001.textSSH.replay. Here is what it looks like when we execute the script:

PoliCTF 2012 - Forensics 100 - timing

replaying captured packets (click me, i’m anim00ted!)

Looks like a pattern, doesn’t it? We take the 320 seconds it lasts to watch astonished and write down the pattern in a more simple way. Short transmissions become “.” and longer ones we write down as “-“. We now have:


This must be morse code! Since morse code is one of the codes where timing is everything, we have to watch the replay again to get the transmission pauses right. This is essential for decoding. We lean back for 320 seconds once again and are rewarded with:

…. — .–. . -.– — ..- …- . -… . . -. .- –. — — -.. -… — -.– … -.-. — ..- –

After translating the morse code to characters we fiinally got our flag:


Yes, we were good boy scouts, the flag is ours!

Note: This challenge was downgraded to 75 points after a while.

Leave a Reply

Your email address will not be published. Required fields are marked *