The question is:

"The critical server seems unreachable. The sysadmin tries to identify the cause of it..but weird..he is doing it backwardly."
http://files.wargames.my/2/p100.7zv
question for challenge 2
question for challenge 2

and the hint given to us:

hint for challenge 2
hint for challenge 2

so… RFC 792 – something related to ICMP/ping yada yada
so we open the pcap file in Wireshark, view only ICMP protocol:

open pcap using wireshark & then filter ICMP only

we can see ICMP traffic involving 2 IPs; 192.168.1.8 & 192.168.1.10

after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP 192.168.1.8:

lets use tshark to see it clearly:

tshark -r pcap1-100_1_copy.pcapng -x 'icmp and ip.src==192.168.1.8' | grep 0010
use tshark & grep offset 0010

as noted in the hint above; “he is tracing backwardly.”

so the flag is: flag_is_p!ngp0ng~
but actually…. the flag is: p!ngp0ng~ =.=’

By zam

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.