Ghostintheshellcode Stage 26 BeatBoxing Packet 75pts

Stage 26
Question: BeatBoxing
75 Points
File: beatboxing-da09c691e2613581f1f4db70810c6e5c


carl@b:~/beatbox$ file beatboxing-da09c691e2613581f1f4db70810c6e5c
beatboxing-da09c691e2613581f1f4db70810c6e5c: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

First just reviewed the dump file to see if anything stood out. I went down a few paths checking the delay between packets and any variance in the packet size, but they didnt lead me anywhere. The source and destination ports didn't seem to be of note either.

carl@b:~/beatbox$ tcpdump -nnn -r beatboxing-da09c691e2613581f1f4db70810c6e5c
carl@b:~/beatbox$ tcpdump -nnn -A -r beatboxing-da09c691e2613581f1f4db70810c6e5c


I extracted the payload using tcpflow. The only thing I noticed was the file was exactly 65535 bytes. That didn't lead me to any conclusions other than it was likely custom generated.

carl@b:~/beatbox$ tcpflow -r beatboxing-da09c691e2613581f1f4db70810c6e5c
carl@b:~/beatbox$ ls -al 127.000.000.001.42405-127.000.000.001.04242
-rw-r--r-- 1 carl carl 65535 2011-02-20 15:18 127.000.000.001.42405-127.000.000.001.04242
carl@b:~/beatbox$ file 127.000.000.001.42405-127.000.000.001.04242
127.000.000.001.42405-127.000.000.001.04242: data

After reading some other CTF write ups, it dawned on me to look for the number of occurrences of specific characters, which led me to this:

carl@b:~/beatbox$ egrep --binary-files=text -o "[A-Za-z0-9]" 127.000.000.001.42405-127.000.000.001.04242 | sort | uniq -c | sort -n

[...]
175 H
176 a
177 c
178 k
179 E
180 R
181 s
182 F
183 o
184 r
185 L
186 i
187 f
188 e
190 G
191 I
192 T
193 S
227 h
231 1
238 V
240 6
240 A
243 K
244 U
245 W
246 u
248 p
[...]


and thus the answer: HackERsForLifeGITS