Hi guys! today i will show you how to solved Forensic 100 – TMCTF.
Download file from here and open by wireshark.
you can see it to be encryption by WEP was included as the component of the original privacy IEEE 802.11.
The attacker was wiretapping and find ways cracking them.
First, we will look for an crack password file pcap.
Use aircrack-ng tool is popular, i try that.
The next step, we will decrypt the file from password we just got.
Use Airdecap-ng to decrypt victim.pcap
So we can got file victim-dec.pcap
Then, we must find the ip of the sender and the receiver to filter the essential information. In pcap file information has a lot of garbage, so pcap file made will heavier and more complex.
Try filter some port don’t be encrypt and focus to ip 192.168.11.3 and ip 192.168.11.2.
Follow it, we will see what we need
Short conversation, and decode base64 to get file location2.zip.
We will find words “Right Niece Dreams” and hint from admin is “Et tu Brute, Then FALL C,A,E,S,A,R” ,so password is “miDNight” and get secret location.
And use gps-coodinates.net to get location we need.
TMCTF{Stade de France} :))
sugivo.wordpress.com 
Wow, thanks for the writeup! The link on CTFtime to your site seems to be broken though.
Would you mind giving more details on how you figured out the password for the zip? I see your statement “We will find words “Right Niece Dreams” and hint from admin is “Et tu Brute, Then FALL C,A,E,S,A,R” ,so password is “miDNight” and get secret location.” What admin gave you the hint? Was this a CTF admin, or another email thread in the pcap? Also how did you go from “Et tu Brute, Then FALL C,A,E,S,A,R” to a password of “miDNight”?
LikeLike
Yeah, you can see “Right Niece Dreams” in conversation between 192.168.11.2 and 192.168.11.3. So you will drop (fall) letters C,A,E,S,A,R in “Right Niece Dreams”, you will get “ightNiDm” and try to arrange the words have meaning (Et tu Brute). So we have “miDNight”.
LikeLike