Peculiar Packet Capture

Forensics [400pts]



We have a situation brewing. Last week there was an attack on the prime minister of Morocco. His motorcade was stopped by a road blockade where heavily armed men opened fire on them. Fortunately, the prime minister was able to escape safely but many personnel and a few other ministers did not.

ATLAS, a multi-national Private Military Corporation (PMC) based in Colorado, USA, is our main suspect. We believe they were hired to conduct the hit by the opposition political party.

We flew Agent Jason to Colorado to investigate further. He gained access to their building’s reception area dressed in a suit acting as a potential client with an appointment. He was able to intercept wireless network traffic from their corporate wireless network before being escorted out by guards when they realised the bluff.

The network capture is attached below, see if you can recover any important documents which could help us tie ATLAS to the Morocco incident.

We are given a Wireshark capture file and when looking at it, it seems that they are using the EAPOL protocol with authentication keys.

Looking at each of the keys, they are using 802.11 authentication to encrypt the keys. So I thought to decrypt them somehow.

This blog ( contained useful information on how to decrypt the keys.

But first, we needed to crack the WPA2 password in order to use this method. A popular tool is Aircrack-ng, which is what I used for this challenge.


#5 is the only bullet point I used for this challenge. Using rockyou.txt as my wordlist and the MAC address of the source:

It turns out the key was nighthawk.

So using the decrypt-wpa2-psk-using-wireshark method shown above, I had to generate a PSK using this link (provided as well in the blog above):

The SSID was ATLAS_PMC and passphrase was nighthawk. Our hex key is:


When applying the hex key (with key type: wpa-pwk) to our WEP and WPA decryption key in Wireshark preferences, we are now shown packets that were not shown before, most notable a PDF.

So after extracting this PDF from WireShark, we are presented with the flag at the bottom:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s