> For the complete documentation index, see [llms.txt](https://kos0ng.gitbook.io/ctfs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kos0ng.gitbook.io/ctfs/write-up/2024/unbreakable-international/network.md).
# Network
## sums-up (282 pts)
### Description
Our SOC analysts saw some strange DNS traffic. Wanted you to figure out what was exfiltated , can you check it and sum it up ?
### Solution
Given PCAP file, open it using wireshark. Looking at each packet i found suspicious printable characters.
If we go to next packet we will see printable character at the same location. Those printable character are stored at Checksum identifier on each packet. To simplify the process, i apply checksum as column then export the packets.
Last, just create simple script to get the checksum value.
```python
import string
f = open("exported.csv", "r").read()
flag = b""
for i in f.split("\n"):
try:
flag += bytes([int(i.split('","Standard query')[0].split('"')[-1], 16)])
except Exception as e:
continue
print(flag)
```
Flag: ctf{4cp\_4nd\_4dp\_ch3cksum5\_4r3\_3v1l\_pr00v3\_m3\_wr0ng\_jhunidr}
## secure-communications (450 pts)
### Description
We captured some pretty bizzare looking communications, but part of them are encrypted.
Can you help?
Flag Format: CTF{sha256}
### Solution
Given PCAP file, open it using wireshark. We can see that there are TLS/HTTPS packets and HTTP packets.
Lets take a look on one of HTTP request
From HTTP request above we can see that it switch the protocol to websocket and we can see websocket packet on the same TCP stream.
Sorting the packet, i tried to inspect packet based on its kind.
There are two interesting data, private key and ssl-keys log. At first i tried to add private key but nothing happen.
So the next step is try to add ssl-keys.log to Preferences > Protocols > TLS > (Pre)-Master-Secret log filename.
Take a look on recorded packets again, there are some TLS packets decrypted and there is one packet (frame 1631) that consist of another part of the ssl-keys.log.
Next, combine that data and store on new file (new-keys.log). After that change the (Pre)-Master-Secret log to the new new-keys.log
Inspecting each packet again and you'll see flag at frame 557.
Flag: CTF{ec4a9fda046b09e2dce095f772262c766a857ac041c9cf3745cdd2a76a8b5819}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://kos0ng.gitbook.io/ctfs/write-up/2024/unbreakable-international/network.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.