Publié le 18 mars 2013
Ndh2k13 quals got 352 participating teams and last only 24 hours, with only 14 tasks to solve. Among them, the Misc500 (namely "Wiretapped communication") stays unsolved and we think interesting to share with all of you the way it was intended to be solved. I created this task based on my professional experience, to make it look like a concrete and real case. Here is how to solve it. Contestants were provided with a ZIP file, containing a network capture (a PCAP dump) and what seems to be a binary version of the server program used by John Adams to communicate securely. The communication protocol is weird but having a look at an hexdump of the conversation allows us to draw some hypothesis. Analyzing the PCAP dump First of all, there seems to be a common pattern in the exchanged data. Many blocks of information starts with a byte, then what seems to be a 32-bit coded size, then this exact number of bytes and 4 extra bytes. No idea of what it is or how it is used. Anyway, some cleartext appears in the first bytes sent by the client :
00000000 01 0b 00 00 00 6a 6f 68 6e 2e 61 64 61 6d 73 00 .....joh n.adams.
00000010 24 7f a8 19 $...