The Shark
This is a writeup of the network challenge The shark from the Security Valley CTF
Level: 1, Score: 5
Premise
There is pcapng file. Can you reveal the authentication credentials?
Link: https://github.com/SecurityValley/PublicCTFChallenges/tree/master/network/the_shark
Challenge files:
auth_sniff.pcapng
Observations
When opening the file in wireshark, we see some TCP and HTTP traffic.
The HTTP traffic sends several requests to an api at /api/v1/auth
.
If we follow the HTTP stream of these requests, we see 2 requests that return a 401 Unauthorized
and one that returns a 200 OK
Solution
If we look at the content sent before the 200 OK
request, we can see the following:
1
2
3
4
5
6
7
8
GET /api/v1/auth HTTP/1.1
Authorization: Basic c2VjdmFsOlNlY1ZhbHs4NDVJYzR1N2hfaTVfNVVQM1JfNWhJN30=
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: 4a8745d5-69b5-4024-97c6-e4058a6bc3bd
Host: localhost:7777
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
The string in the Authorization header seem to be base64 encoded, so we can simply decode it with a tool like CyberChef.
The decoded string is: secval:SecVal{[REDACTED]}
Tools used:
- wireshark