Mubarak Mikail
SOS, someone is torrenting on our network. One of your colleagues has been using torrent to download some files on the company’s network. Can you identify the file(s) that were downloaded? The file name will be the flag, like picoCTF{filename}. Captured traffic.
- Download and open the file with a packet analyzer like Wireshark.
- You may want to enable BitTorrent protocol (BT-DHT, etc.) on Wireshark. Analyze -> Enabled Protocols
- Try to understand peers, leechers and seeds. Article
- The file name ends with
.iso
Following hints 1 and 2 is good. After that, I started searching for "iso" in the strings. That didn't work well so I had to switch strategies. All files have a unique hash (or should have a unique hash) so my next attempt was to search "hash":
I found 4 different hashes:
e2467cbf021192c241367b892230dc1e05c0580e
7af6be54c2ed4dcb8d17bf599516b97bb66c0bfd
17c0c2c3b7825ba4fbe2f8c8055e000421def12c
17c02f9957ea8604bc5a04ad3b56766a092b5556
I tried searching up each hash, the last 3 had nothing come up. Searching 'e2467cbf021192c241367b892230dc1e05c0580e ".iso"' got this website for torrenting the ubuntu-19.10-desktop-amd64.iso file.
picoCTF{ubuntu-19.10-desktop-amd64.iso}