Jeppe Ernst


The (Danish) National Police Cyber Crime Center (NC3) has created a four part advent CTF challenge this year. In a CTF you compete against the clock ⏱ to be the first to solve a series of challenges/riddles that involve different aspects of programming/forensics/<stuff> tasks.

This is a writeup explaining how I solved the second challenge in this years advent CTF & managed to get the best time in this round.

The challenge started with a file I had to download “2.pcapng”, the fileformat “pcap” is usually a packetcapture, opening the file in Wireshark I could see that it was a USB packet capture. Looking at the device info revealed that it was input from a keyboard. To the search engine! searching for “pcapng usb capture keyboard” I found a writeup from another CTF, with a script. Using this script (with some small modifications: changing from dvorak to qwerty) i got this:

[email protected]:/mnt/hgfs/nc3-2# tshark -r 2.pcapng -T fields -e usb.capdata -Y usb.capdata 2>/dev/null | python 
Jeeg haarr liigge tteessteet miin toastteermallwwarre og iinnggeenn antiviiruus dettecteerrede dden! Fedt man. Den haar sha/2556 42c3d3ba5c099106fc21ab53908495d5ef2ff9fcaa890b1c7ef4386bc0893f2f???f2f

okay, so this contains a sha256 hash, and it mentions something about antivirus scanners not detecting the file… hmm… maybe I should search virustotal for the hash? SUCCESS!

In the comments someone mentions that the “virus” is trying to connect to on port 9999 and sending the text “HELLO”. Maybe we should just try to do the same then?

[email protected]:/mnt/hgfs/nc3-2# netcat -q2 9999 echo <<< "HELLO"

okay so we get a new address! wonder what’s there… aaaand it’s another download link to a file named “g”? so what is this “g” file?

[email protected]:/mnt/hgfs/nc3-2# file g
g: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, for GNU/Linux 2.6.32, BuildID[sha1]=67f9fe06fd8f37032e969f3b49583140629810c4, not stripped

it’s a binary/executable, let’s try to run it! (This is pretty bad practice running unknown code… and as root to boot(pun intended) but whatever #YOLO)

[email protected]:/mnt/hgfs/nc3-2# chmod +x g
[email protected]:/mnt/hgfs/nc3-2# ./g
23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL

okay so apparently this program needs to be run at a specific time in the past, let’s try it out.

[email protected]:/mnt/hgfs/nc3-2# date -s "09/23/90 01:12:12 UTC" && ./g
Sun Sep 23 03:12:12 CEST 1990
23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL

and there you have it! the flag was behind the last address 😊

⏱ Total time: 19 minutes and 31 seconds

Looking forward to next sunday 🎅


The first time I tried to submit a “ “ whitespace char snuck into the flag, so I had to write my “name” again, this resulted in me typing the wrong twitter handle and pressing submit ¯\_(ツ)_/¯ fortunately for me the NC3 admins were quick to change it.