📖
CTF Wiki
  • 🚩Arne's CTF Writeups!
  • 2025
    • TUCTF
      • Forensics - Security Rocks
  • 2024
    • Lexington CTF
      • Misc - a little bit of tomcroppery
    • Imaginary CTF
      • Web - Journal
    • Space Heroes CTF
      • Web - Antikythera
    • HTB Cyber Apocalypse
      • Pwn - Sound of Silence
      • Misc - MultiDigilingual
  • 2023
    • NahamConCTF
      • Mobile - Red Light Green Light
    • BucketCTF
      • Rev - Schematic
      • Rev - Random security
    • HTB Cyber Apocalypse
      • Rev - Cave System
      • Rev - Somewhat Linear
      • Pwn - Void
  • 2022
    • DownUnderCTF 2022
      • Cloud - Jimmy Builds a Kite
    • Ã¥ngstromCTF 2022
      • Pwn - really obnoxious problem
      • Pwn - whatsmyname
    • Engineer CTF
      • Misc - Not really random
      • Misc - Broken Pieces
    • KnightCTF 2022
    • HTB CTF: Dirty Money
      • Forensics - Perseverance
  • 2021
    • MetaCTF CyberGames 2021
    • HTB - Cyber Santa
      • RE - Infiltration
    • Securebug CTF Thor 2021
      • Web - Tricks 1
      • Web - Tricks 2
      • RE - Hidden in Plain Sight
    • TFC CTF 2021
      • RE - Crackity
      • Pwn - Jumpy
      • Misc - Weird Friend
    • K3RN3L CTF 2021
      • Crypto - Pascal RSA
    • DamCTF 2021
      • Misc - library-of-babel
      • Pwn - cookie-monster
    • Killer Queen CTF 2021
      • Pwn - Tweety Birb
      • Forensics - Tippy Tappies
      • Pwn - I want to break free
    • BuckeyeCTF 2021
      • Web - pay2win
      • Misc - USB Exfiltration
Powered by GitBook
On this page
  • Description
  • Downloads
  • Solution
  1. 2025
  2. TUCTF

Forensics - Security Rocks

Medium

Last updated 3 months ago

Description

Downloads

Solution

Go to 'Wireless -> WLAN Traffic' in WireShark to see the number of 'Auths' packets.

To filter out a specific SSID, use the following filter: 

wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05

Using the EAPOL filter, we can see that the entire 4-way handshake is captured.

We just need the Wi-fi passphrase to decrypt the traffic.

Use aircrack-ng to do dictionary attack on the passphrase.

With the passphrase found, to decrypt the data in WireShark, add the wpa-pwd key as follows.

Use the following filter to get all the data packets.

Found the transfer of secret.txt.

Flag turns out to be base62 encoded: TUCTF{w1f1_15_d3f1n173ly_53cure3}

472KB
dump-05.cap
image
SSID filter
EAPOL
aircrack-ng
Add decryption key
data filter
Follow decrypted TCP stream
Export FTP objects
secret.txt
dcode