Skip to content

Instantly share code, notes, and snippets.

@jjarmoc

jjarmoc/whatinzeus_solve.rb

Created May 23, 2013 13:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jjarmoc/5636008 to your computer and use it in GitHub Desktop.
Save jjarmoc/5636008 to your computer and use it in GitHub Desktop.
Download ZIP
BSJTF CTF 'What in the name of Zeus?' solve
Raw
whatinzeus_solve.rb
require 'packetfu'
require 'ipaddr'
puts "-- Reading packets"
packets = PacketFu::PcapFile.read_packets('./whatinzeus')
output = packets.inject([]){|ret, pkt|
ret.push(PacketFu::EthHeader.str2mac(pkt.eth_dst) =~ "01:00:5e" ? 1 : 0)
}
puts "\n-- Parsing IPs"
ips = packets.inject([]){|ret, pkt| ret << IPAddr.new(pkt.ip_dst, Socket::AF_INET).to_s.split(".") }
octets = []
(0..3).each{|i|
octets[i] = []
ips.each{|x| octets[i] << x[i]}
}
puts "\n-- Unique occurences of each octet"
puts "#{octets[0].uniq.count} #{octets[1].uniq.count} #{octets[2].uniq.count} #{octets[3].uniq.count}"
puts "\n-- What's missing from each?"
(0..3).each{|x|
puts "Octet #{x}"
(0..255).each{|y|
puts y unless octets[x].include?(y.to_s)
}
puts ""
}
puts "\n-- Hmmm... nothing with 0 in the second octet?"
puts "\tThis one has a 0:\t\t\n#{ips.find{|ip| ip[1] == "0"}.join(".")}"
puts "\n--Done."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment