Wireshark-users: Re: [Wireshark-users] Knowing What Exploit from .pcap File
: Sake Blok <sake@xxxxxxxxxx
: Fri, 5 Aug 2011 10:57:59 +0200
On 5 aug 2011, at 05:33, Zaki Akhmad wrote:
> On Thu, Aug 4, 2011 at 8:34 PM, Marcelo Mandolesi <rolldabass@xxxxxxxxx> wrote:
>> Can you elaborate on this particular CTF? Perhaps provide us a link to it?
> Well, it's OWASP AppSecUSA 2011 CTF #1 and the .pcap file is
> here. Although they had provided the answer I still couldn't
> understand how to identify the exploit.
The whole idea behind a "Capture The Flag" is that the flag is sort of hidden and that it takes skill to find it. I'm no web security expert, so I am also not able to recognize the exploit (without taking time to delve into it). But some simple steps that get you on the way are:
1) Have a look at which conversations are in the file (two TCP conversations in this case)
2) Do a follow-tcp-stream on all of them and look at the results, this will show you that
- Host .50 is requesting some webcontent from host .5
- Host .50 is using port 4444 on host .5 which seems to offer a form of cmd shell in which a file is being retrieved
3) Going back to the webcontent being retrieved, you can see there is a script being run and that the program code of the script is obscured in some way.
So... things to look at are
1) Is port 4444 a known port of some exploit?
Hope this helps,