See frame nΒ°134 GET /corporation/secret HTTP/1.1.
Extract the file (File > Export Objects > HTTP).
Check the type of file:
1 2 3
[noraj@rawsec]βββββββββββββββββββββββββββββββββββ[~/CTF/WhiteHat_GrandPrix/2016] $ file secret secret: Zip archive data, at least v2.0 to extract
Ok, there is a pasword, let's check the html page: frame nΒ°149 GET /corporation/arsenal.html HTTP/1.1.
Extract it from the pcapng.
See the hint: For H.i.n.t: Referring to arsenal, i remember a number. It also length of secret p.a.s.s.w.o.r.d.
One key event is:
30 October: Arsenal recorded victory in the League Cup to a record-breaking 7β5 scoreline at the Madjeski Stadium, having been 4β0 down initially. The game had the most goals ever scored in a single League Cup match (12).
With luck and guessing I found this number was 4.
So now let's try to crack the zip password with fcrackzip:
1 2 3 4
[noraj@rawsec]βββββββββββββββββββββββββββββββββββ[~/CTF/WhiteHat_GrandPrix/2016] $ fcrackzip -b -c a -l 4 -u secret
PASSWORD FOUND!!!!: pw == fuzu
Extract the zip with the password.
Check what file type EasyExtrack is:
1 2 3
[noraj@rawsec]βββββββββββββββββββββββββββββββββββ[~/CTF/WhiteHat_GrandPrix/2016] $ file EasyExtrack EasyExtrack: Zip archive data, at least v1.0 to extract
d2a33790e5bf28b33cdbf61722a06989 MD5 : F 12f54a96f64443246930da001cafda8b MD5 : l 60b725f10c9c85c70d97880dfe8191b3 MD5 : a f5302386464f953ed581edac03556e55 MD5 : g d9bed3b7e151f11b8fdadf75f1db96d9 MD5 : { 3b5d5c3712955042212316173ccf37be MD5 : b 72cfd272ace172fa35026445fbef9b03 MD5 : r d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F 9a8ad92c50cae39aa2c5604fd0ab6d8c MD5 : f d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F d2a33790e5bf28b33cdbf61722a06989 MD5 : F 12f54a96f64443246930da001cafda8b MD5 : l 92520a5a9cf893220b9cd447f585f144 MD5 : _ 01fbdc44ef819db6273bc30965a23814 MD5 : h 9ffbf43126e33be52cd2bf7e01d627f9 MD5 : e 12f54a96f64443246930da001cafda8b MD5 : l 9d7bf075372908f55e2d945c39e0a613 MD5 : p 92520a5a9cf893220b9cd447f585f144 MD5 : _ 009520053b00386d1173f3988c55d192 MD5 : y e73af36376314c7c0022cb1d204f76b3 MD5 : o e85dde330c34efb0e526ee3082e4353b MD5 : u 7d9d25f71cb8a5aba86202540a20d405 MD5 : }
Unformated flag is: Flag{brFFFfFFFFFFFFl_help_you}.
Format the flag: WhiteHat{e7643ccd180c84176ae0b4361c3b169fceacf961}.
Not the good flag ...
Note that 800618943025315f869e4e1f09471012 is the right md5 hash for F and d2a33790e5bf28b33cdbf61722a06989 is the wrong md5 hash for F that you can obtain with non POSIX tools like echo (that's why I use printf). So only hashkiller knows both wrong and right hash, all other md5 decrypt online tools knows only the right one so they are not able to decrypt d2a33790e5bf28b33cdbf61722a06989. But anyway...
You know what? After some wasted hours I figured that I needed to replace F with some guessed letters: Flag{bruteforce_will_help_you}. Yes guessing again.
And we also get one of the 23 parts of the puzzle:
This is for the Discovering Vietnam bonus challenge. It is a puzzle of 23 parts, you need them to get a QR-code that give a flag. Flag will give 10% bonus points of the current score.
I think we need to do almost all challenges to get all the pieces.