# SquareCTF 2017 - Sniffed Off the Wire

A sequence of command line escape codes is sent over the network and forms the flag if read with the tool more.

### Description

Sniffed Off the Wire

Sifting through the noise

After weeks of perching, our avian operatives captured a suspicious network flow. Maybe there’s valuable data inside?

sniffed-off-the-wire.pcap

### Details

Points: 100

Category: Forensics

### Solution

When opening the file of wireshark, there is a serie of TCP transactions which looks like:

[12;5HZ
[16;23HD
[8;2HK
...


It seemed to be command line escape codes. We exported all the characters with Analyze->Follow->TCP Stream with the Raw option. Indeed the characters sent were escape codes and when the file was read with the tool more and enter key kept pressed, the flag appeared:

IYuFmcDBROZjVozrYVVQRtgNvHBWmFeeEDBiorENmcUxmTQdfxgzQgrdClphCYskIpdtedOsHQLOpam more tcp
m4ykYMarqwv(fl%)McnTNxCiOjOKxPOmzBYRGvlRFkPSwBotbbbOcIYSQmxGRKtDNMVpinMizKarbYC
--More--(48%)44N))dZYxKodcHdororUmLhAlXLCSFiMeohTRxVwQEaYbRPrsoMGgASTZuEbHfEDUw
[3;--More--(48%)jLzQSSkcyWVUwTtVbHOLzlJBmUPILSheSiGomiJIucZqWeertzbXwzGBmexAbK
N-More--(47%)-(46%)XpOmHrDCXmWEwpvDqWkhXdKHqeQZIfrZMIyubgPSgdstwOCIgSwEzhjJebDQ
I-More--(48%)%)EzpRLQsueNkCYXnaKCNTCoXBWiaIaLDyjmWASZlrUWcClyuQutWuRALyksZzgLKs
cNMore-H(46%)4UM)xQQnFAAbVGyOdWOoAXvjEkcHpEPHJHMVGQgDpRkHFawnuHaLZnBgHGxvIQVHNg
23;70Gzei-(47%)4N%yAxQhfZruoNVELeiZkpYEsXarLPJamLvrQhvPOSsmyjIxVYWRHcKvWVWnSAsT
53Hp;--More--(47%))PLeyhzxqOWttZFDpnwPhyqbXxgbFvhEcvpXWkzikIbRKEqRhSVaYGUhCenMR
jHfh;6--Morn--(45%)dHmYaRHKY                       RRuLZyetyQqloVMnYYgAwQZyhPpP
HnmEjeYbP3KoynWEuCszGPacXFLP                       AkrPKkWRQqDnoExocEOxjgbCylPx
e3FJF-poRe--D45%)%)oldAPXwDnYiRJenNFiXsRLmgWehDPmQaXYYlPbVrQOLIPMPFxapgbDDSNkUc