Post

The Shark

This is a writeup of the network challenge The shark from the Security Valley CTF

Level: 1, Score: 5

Premise

There is pcapng file. Can you reveal the authentication credentials?

Link: https://github.com/SecurityValley/PublicCTFChallenges/tree/master/network/the_shark

Challenge files:

auth_sniff.pcapng

Observations

When opening the file in wireshark, we see some TCP and HTTP traffic.

The HTTP traffic sends several requests to an api at /api/v1/auth.

If we follow the HTTP stream of these requests, we see 2 requests that return a 401 Unauthorized and one that returns a 200 OK

Solution

If we look at the content sent before the 200 OKrequest, we can see the following:

1
2
3
4
5
6
7
8
GET /api/v1/auth HTTP/1.1
Authorization: Basic c2VjdmFsOlNlY1ZhbHs4NDVJYzR1N2hfaTVfNVVQM1JfNWhJN30=
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: 4a8745d5-69b5-4024-97c6-e4058a6bc3bd
Host: localhost:7777
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

The string in the Authorization header seem to be base64 encoded, so we can simply decode it with a tool like CyberChef.

The decoded string is: secval:SecVal{[REDACTED]}

Tools used:

  • wireshark
This post is licensed under CC BY 4.0 by the author.