Briefing
Greetings, Special Agent.
Excellent work on locating the residence of Hendrik Schneider. Weโve been in contact with local authorities and acquired a permission to wiretap the residency. Over the past several days weโve had agents stationed around the area to observe all movements. Several methods of intercepting communication were installed around the residence as well. Including a tap on the internet connection. Given the vast amounts of data weโve recovered, all of this will need to be distributed among several teams for further analysis.
It has come to our attention that the Ahemait have a yearly conference. This event is always covered by some form of shell company or organization. Nothing is known of the location or time this event takes place. We hope though, that some of the intercepted data will give us more information about this event. Weโve taken a part of the internet wiretap and assigned it to you. Please find out if it contains anything useful for finding the time and place for this conference.
As always, Special Agent, the contract is yours, if you choose to accept.
Materials
Answer Instruction
Use the answer to unlock the flagfile, this will reward you with your badge.
Answer format: hotelname-city-dd-mm-yyyy-hhmm
Answer sample: avari-hotel-karachi-15-03-2023-0900
Flagfile
Be advised, the flagfile is an encrypted ZIP. Make sure your OS supports the ZIP format. Ensure the password contains no hidden characters or formatting, paste in Notepad first if the password doesn’t seem to work.
PS: Don’t forget to claim your Coins and XP, by posting your card in the #card-brag channel in Discord.
Official Write-up
Provided here is the official write-up, it does contain the answer. Use this if you’re stuck, or want to verify if you got the answer correct.
โ ๏ธ SPOILER: Official Write-up
Wiretap
The challenge involves analyzing network traffic from a wiretap operation on Hendrik Schneider’s residence, specifically looking for information about an annual Ahemait conference. The goal is to find the time and location of this meeting.
Available Materials
- Multiple PCAP files from internet surveillance
- Context about Ahemait organization
- Background on Hendrik Schneider
- Specific formatting requirements
Solution Path
Step 1: PCAP Analysis
Focus on the file: wiretap_00006_20230220215023
Key elements to find:
- DNS requests
- Look for Dropbox-related traffic
- Identify the specific Dropbox URL:
https://www.dropbox.com/sh/a4pq1x48zz7fwlw/AACZ9I04AZpXHZF--VDsBQKQaStep 2: Dropbox Content Analysis
The Dropbox folder contains:
- Member list (note: contains fake names)
- Encoded text with meeting details
Step 3: Text Decoding
The encoded text contains the meeting details:
- Location: Sheraton Hotel Zagreb
- Date: March 31, 2023
- Time: 13:00
Step 4: Answer Formatting
Required format:
hotelname-city-dd-mm-yyyy-hhmmExample format:
avari-hotel-karachi-15-03-2023-0900Correct answer format:
sheraton-hotel-zagreb-31-03-2023-1300Key Formatting Rules
- All lowercase
- Hyphens between components
- Two digits for day/month
- Four digits for year
- Four digits for time (24-hour format)
- No spaces
Common Pitfalls to Avoid
- Wrong case usage
- Incorrect time format
- Missing hyphens
- Wrong date format
- Spaces in hotel name
- Incorrect city spelling
Analysis Tools Needed
- Wireshark or similar PCAP analyzer
- Text decoder
- Web browser
- Note-taking tool
Tips for Solvers
- Focus on DNS requests in PCAP
- Look specifically for Dropbox traffic
- Pay attention to format requirements
- Double-check all components
- Verify exact spelling
- Ensure proper time format
Verification Steps
- Check PCAP for Dropbox URL
- Access Dropbox content
- Decode message properly
- Format answer correctly
- Verify all components match example
Remember: Attention to detail in formatting is crucial, as the answer must match the exact specified format to be accepted.
Creator(s): Frank Diepmaat