Warren Buffer
We are again given a PCAP, this contains a mixture of both encrypted TLS and plaintext HTTP. (Eventually) we noticed that the last character of each useragent in each of the HTTP requests is different:
Collecting all of these together, we get 68 74 74 70 73 25 33 41 2f 2f 67 68 6f 73 74 62 69 6e 2e 63 6f 2f 70 61 73 74 65 2f 79 71 74 73 65 6b 39 33
, converting this from hex we get a URL: https://ghostbin.co/paste/yqtsek93
.
Going to the URL, we see that we need a password to view the paste:
Stumped, we returned to the PCAP and the very, very last HTTP requests contains the password: do_you_know_anything_about_the_cicada_3301_?
.
When we enter this, we are presented with the Base 64 of an image.
We can use CyberChef to convert and then display it, which produces the following image:
There is some text of the left handside, which is 7d76830dDDBBA391F542cCbc3E598Df392a3F274
.
After literately hours of searching, we discover that it is an Ethereum address on the Ropsten Testnet Network. It has three transactions, one of which looks funny, we can actually get a better decompiled output from here
The flag is in the contract, in hex form across three variables:
The flag is thus: HTB{1a4b20ec17323f20909c224614308f09}