This task was meant for us to strengten our skills with wireshark and tcpdump.
We captured traffic using tcpdump for over 3 hours using:
nohup tcpdump -n -s0 -i eth0 -A port ! 22 &
Then we twiggled around with filtering to find out something interesting. First we filtered out ssh traffic using
not ssh
Then we filtered the packets to keep only those for which we are the destination:
not ssh and ip.dst == 192.168.1.171
We saw a lot of port scans and other stuff happening so we filtered it out to see only non-empty packets
not ssh and ip.dst == 192.168.1.171 and (udp.length > 0 or tcp.len > 0)
we also removed ICMP packets
not ssh and ip.dst == 192.168.1.171 and (udp.length > 0 or tcp.len > 0) and not icmp
This left us with 186 packets, after a quick visual scan we saw that some contain wierd messages with "BEEP"s.
Finally, the whole BEEPING stream contained message encoded in morse code, e.g.
short BEEP standing for '.' and long BEEEPS standing for '-'. Decoded morse code
message contained token that needed to be written to the flag server (192.168.1.167) in order to obtain
the flag.