OCTYPE html> CCT2019 — pcap1 | QA210 Writeup
Forensics / PCAP Analysis Hard TryHackMe

CCT2019 — pcap1

A multi-stage PCAP challenge from the U.S. Navy Cyber Competition Team 2019 Assessment. Extract hidden data from USB captures, decrypt cryptcat traffic, and connect to an IRC server to retrieve the flag.

CCT2019 Assessment
7 Stages
Est. 4-6 hours
Wireshark, tshark, cryptcat, InspIRCd
0

Challenge Overview

The challenge starts with a PCAP file containing USB packets. Through careful analysis, we need to extract embedded files, decrypt encrypted network traffic, and ultimately connect to an IRC server to receive the flag.

Key Hints
  • It's a PCAP challenge — don't go down stego/RE rabbit holes
  • It's critical to recover the first file completely
  • The final binary runs on amd64 Kali Linux
1

USB Packet Analysis

The capture file pcap2.pcapng contains USB packets captured with USBPcap. Opening in Wireshark reveals USB encapsulation with only 20 packets but approximately 2,308 kB of data.

bash 
file pcap2.pcapng
# pcapng capture file - version 1.0

Filtering for the target device in Wireshark:

wireshark-filter 
usb.device_address==7 && usb.capdata

The interesting data is in the 'Leftover Capture Data' field. Extract it using tshark:

bash 
tshark -r pcap2.pcapng -Y 'usb.capdata and usb.device_address==7' \
  -T fields -e usb.capdata > raw

Convert the hex dump to binary:

bash 
xxd -r -p raw output2.bin
2

StegoVeritas Extraction

Running StegoVeritas on the extracted binary reveals an embedded PCAP file:

bash 
stegoveritas output2.bin

Inside the results, we find pcap_chal.pcap — a second PCAP file with 4,588 packets confirming we're on the right track (matching HINT2).

Note StegoVeritas can process non-image files to extract embedded content. Don't limit your steganography tools to just image files — they often work on arbitrary binary data.
3

ICMP Data Extraction

Opening pcap_chal.pcap in Wireshark and filtering for small ICMP packets:

wireshark-filter 
frame.len < 98 && icmp

Extract the data fields:

bash 
tshark -r pcap_chal.pcap -Y 'frame.len lt 98 and icmp' \
  -T fields -e data.data > raw

Converting the hex reveals an IRC-style conversation:

bro, what you up to?
n2mh
why?
you didn't send that thing yet
oh... well, not over this
if not this, then what?
let's use cryptcat instead
another thing to install?
man... no one can see this
still... rather use encryption
we need to pick a key to use
I know just the one
What? Oh, that old thing?
Hang on, lemme look it up
okay, I found it. use the metasploit port to receive
listener is up. send it.
okay, it's sent
7181f4d45de00ae35b6cf8201c8d852b
hash is good
Key Takeaways They're using cryptcat on the metasploit port (4444) and the hash 7181f4d45de00ae35b6cf8201c8d852b is confirmed as a checksum for verification.
4

Finding the Encryption Key

Examining ICMP packets reveals a hidden message in a "Response not found" packet:

text 
Angela Bennett uses it to log into the Bethesda Naval Hospital

This is a reference to the movie "The Net" (1995). In the movie's hacker terminal scene, we can see:

text 
/Password:/ natoar23ae
Dead End natoar23ae is NOT the correct key. This is a common trap — the visible password from the movie scene doesn't work for cryptcat decryption.

Further analysis of the IRC traffic reveals the actual key is BER5348833 — referenced from the movie's Gatekeeper backdoor password.

5

Extracting ICMP Type 8 Data

Filter for ICMP echo requests and extract the first 2 bytes of each packet:

bash 
tshark -r pcap_chal.pcap -Y 'icmp.type == 8' \
  -T fields -e data.data | cut -c -4 | xxd -r -p > data.bin

The resulting file is identified as an OpenPGP Secret Key — this is the encrypted data that needs to be decrypted with cryptcat.

Why cryptcat? Cryptcat is an encrypted variant of netcat that uses Blowfish encryption. The data was sent through cryptcat on port 4444, so we need to use cryptcat with the correct key to decrypt it.
6

Decrypting with Cryptcat

Set up cryptcat listener with the correct key on the metasploit port:

bash 
cryptcat -k BER5348833 -l -p 4444 > decrypted_file

Then send the encrypted data through:

bash 
cat data.bin | nc 10.8.19.103 4444

Verify the decrypted file:

bash 
file decrypted_file
# ELF 64-bit LSB pie executable, x86-64

md5sum decrypted_file
# 7181f4d45de00ae35b6cf8201c8d852b  <-- matches the hash from IRC!
Hash Verified! The MD5 hash 7181f4d45de00ae35b6cf8201c8d852b matches the one from the IRC conversation, confirming we've correctly decrypted the file.
7

IRC Server Setup & Flag Retrieval

The ELF binary connects to irc.cct. We need to set up a local IRC server to intercept the connection:

  1. Install InspIRCd: sudo apt install inspircd
  2. Add to /etc/hosts: 127.0.0.1 irc.cct
  3. Configure /etc/inspircd/inspircd.conf with name="irc.cct"
  4. Start the server and join with Irssi
bash 
irssi
/connect irc.cct
/join #flag

Then run the binary:

bash 
chmod +x decrypted_file
./decrypted_file

The binary connects to the IRC server, joins #flag, and the flag is delivered:

Flag
CCT{flag}

Key Takeaways

Skills & Techniques
USB PCAP Extracting data from USB captures using tshark filters and field extraction
StegoVeritas Can process non-image files to extract embedded PCAP content
Cryptcat Encrypted netcat variant using Blowfish; requires the correct key
Pop Culture Movie quotes can contain passwords/keys — "The Net" (1995)
IRC Protocol Understanding IRC for CTF bot interactions and flag delivery
Local Simulation Setting up services locally (InspIRCd) to interact with challenge binaries
Q
QA210 w4llz CTF Team