Name : WorldGolfChampion
50 Points

Description : Help me, i need this flag

Url: http://static.wargame.rocks/WorldGolfChampion.pcap

Level: Very easy 

So it begin with a pcap... When we look quickly the first packet of the exchange we see clear information... Things like "User:tiger" or "Password:"...

Let's follow the TCP stream to see is we can have more information about this...

So... Looks like the log of a terminal... What do we have ?

  • he launch firefox to search Ashley Maddison with Qwant... Weird flex but ok...
  • then kill the firefox process
  • tries to open a keepass database
  • forgot the password
  • start to panic
  • search on Qwant how to reset the master password of a Keepass database
  • try random commands like decrypt or base64 on his keepass database file
  • ragequit

By using the command base64 on the keepass database file, it printed it in the terminal output so a simple base64 -dof this will give us the original keepass file.

It's looks obvious that we will have to open it to get the flag... Let have a second look on the TCP stream... He used the password woods1275 to log... Then he tried without success the following to open the database : woods1077,woods1282.
Let's gamble on the fact that his password is always "woods"+4 digits.

Small script to build all possibilities from woods0000 to woods9999.

Then we will use kpcli to make a nice bruteforce shell script. If the good pass is in our wordlist, kpcli will stop the script.

Let's run this and go afk, it could take a long time. I go have a beer and talk with the other challengers.

I stayed outside like 30-40 minutes making friends with some guys from Akerva thinking it would take a good moment... When i've left, the "John The Ripper" of Alkanor was already running for a solid 15 minutes with nothing...

It took the huge amount of time of... 2 minutes and 30 seconds ! It found the password like 1 min after I left... Nice move... But anyway i have the pass woods0180 and the "John The Ripper" of Alkanor is still running with nothing...

Edit : John wasn't working because the wordlist didn't include word with 0 at the beginning so no chance to found 0180 :/

Let's open the database with the KeePassX GUI to have a nice display for the screenshots... woods0180 works well.

MyBestFiend and MyBestPlan looks like junk data let's see the one with noting...

This look like a flag... Let's validate.
+50 points, time to go on an other chall !