horizontal lines
Gigasheet Primary logo
  • Luciana Obregon

The "Weird Python" Capture the Flag Series - Part 1


In this blog series, we attempt to complete a Capture The Flag (CTF) challenge posted by The Honeynet Project using Gigasheet. While the challenge is quite dated (2015), the analysis techniques we showcase in this blog are still relevant today.

The challenge is called "Weird Python" and is available for public download through The Honeynet Project's website. It presents a series of twelve questions that one must answer by analyzing a packet capture file. Part 1 of this blog provides the analysis methodology to find the answers to questions 1 and 2. Check back for Part 2, where we continue to solve the challenge questions.

CTF Tutorial Weird Python Example

The Challenge


Below is the challenge excerpt, copied from honeynet.org.

"Your boss John went to a BYOD conference lately. Yeah, he's that kind of security guy… After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn't make much sense out of "random" payloads yet. Today, Pete didn't come to work. Five minutes ago, he sent a company-wide mail with a total of four words: "F*** you, I quit. ". What has happened!?"


The questions we answer in this blog are:

  • BYOD seems to be a very interesting topic. What did your boss do during the conference?

  • What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?

The Analysis


Question 1: BYOD seems to be a very interesting topic. What did your boss do during the conference?


We begin the analysis by uploading the PCAP file to Gigasheet and scanning through its contents.

CTF Tutorial Gigasheet upload and scan
Gigasheet Library

We can see the timestamp in the FRAME.TIME_EPOCH column is in Unix time format, which we can translate to CDT (or other time zones) using the Convert Unix time function. Gigasheet then adds a new column labeled FRAME.TIME_EPOCH-UTC, which includes the translated time.

Convert Unix Time

We can see at first glance that most of the traffic is HTTPS over 443, which may not be very useful due to being encrypted. We can add a filter to the INFO column to exclude "443 →" and "→ 443", which hides sent and received traffic over port 443. We also want to exclude any rows displaying "Application Data," in the INFO column, which provides little value for now.

Filter in Gigasheet

We can continue filtering out data that may not be useful by right-clicking the data object and selecting "Filter to exclude this".

Filter to exclude this

After several rounds of filtering, we start seeing some interesting traffic, including DNS queries and HTTP requests/responses.

Interesting Traffic Logs

On rows 204-205, we can see a DNS query and response for www.reddit.com, which may help answer the first challenge question. We can flag these rows as "Suspicious" to make them easier to find in future analyses. The DNS request comes from 172.16.254.128, which is an Internet gateway.

Flag rows as good, bad, or suspicious

Scrolling down to row 619, we can see that the boss accessed a webpage, and closer inspection of the HTML close reveals that website's title: "reddit: the front page of the internet"

Suspicious row in log file

On rows 5028-5029, we see a DNS query and response for www.thewayoftheninja.org, returning IP address 54.231.10.92.

DNS Query and Response in Log File

In rows 5033-5041, we see an HTTP GET request to the IP address of www.thewayoftheninja.org (54.231.10.92), followed by an HTTP 200 OK response from the server in row 5041. The response includes a webpage titled: "The Way of the Ninja: the Official Site of N and N+".

HTTP 200 OK Response in Log File

We now have enough information to answer the first question:


What did the boss do during the conference? Among other things, the boss was browsing Reddit and online game sites.


Question 2: What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?


A deeper analysis of the HTML code returned by 54.231.10.92 in row 5041 reveals that www.thewayoftheninja.org hosts several games for download, as indicated by the HTML code below:


<...alt="N, the free flash game that started it all. Download it here!">

<...alt="N+XBLA released February 20th 2008. Download it now!">

Games for Download indicated in HTML

To determine whether the boss downloaded anything from this website, we filter the INFO column for HTTP GET requests, which leads us to row 5675, where the boss downloads Nv2-PC.zip from 81.166.122.238.

Filter Info Column

HTTP GET Requests


Log Entry for File Download

Since the user initially communicated with IP address 54.231.10.92, we need to ensure that the two IP addresses, 54.231.10.92 and 81.166.122.238, relate to the same user action. We undo the filters and search Nv2-PC.zip using the search function to find the beginning of the session.


In rows 5668-5669 and 5671-5672, we see a series of DNS queries and responses for www.harveycartel.org, returning IP addresses 81.166.122.238 and 207.250.212.43, followed by the Nv2-PC.zip file download.

Undo Filters and Search File Name

Searching www.harveycartel.org using the search function leads to row 5424, where we see a link to hxxp://www.harveycartel.org/nv2/Nv2-PC.zip in the initial website visited by the user.

Link in Log File

We can now answer the second question:


Question 2: What method did the attacker use to infect the boss' computer? List the IP addresses.


The method appears to be a malicious program, likely a trojan. The IP addresses involved in this activity are 54.231.10.92, 81.166.122.238, and 207.250.212.43.


Continue the hunt with for Part 2 of our three blog series.


You can do all of this for free. Get started today!

Weird Python CTF Part 1