Wireshark-users: Re: [Wireshark-users] Knowing What Exploit from .pcap File
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 5 Aug 2011 10:57:59 +0200
On 5 aug 2011, at 05:33, Zaki Akhmad wrote:
> On Thu, Aug 4, 2011 at 8:34 PM, Marcelo Mandolesi <rolldabass@xxxxxxxxx> wrote:
> 
>> Can you elaborate on this particular CTF? Perhaps provide us a link to it?
> 
> Well, it's OWASP AppSecUSA 2011 CTF #1[1] and the .pcap file is
> here[2]. Although they had provided the answer[3] I still couldn't
> understand how to identify the exploit.

The whole idea behind a "Capture The Flag" is that the flag is sort of hidden and that it takes skill to find it. I'm no web security expert, so I am also not able to recognize the exploit (without taking time to delve into it). But some simple steps that get you on the way are:

1) Have a look at which conversations are in the file (two TCP conversations in this case)

2) Do a follow-tcp-stream on all of them and look at the results, this will show you that
	- Host .50 is requesting some webcontent from host .5
	- Host .50 is using port 4444 on host .5 which seems to offer a form of cmd shell in which a file is being retrieved

3) Going back to the webcontent being retrieved, you can see there is a script being run and that the program code of the script is obscured in some way. 

So... things to look at are 

1)  Is port 4444 a known port of some exploit?

2)  Can you "decrypt" the javascript code and does that point you in the right direction

3)  etc.

Hope this helps,
Cheers,


Sake