//All_Encrypted
Flag: Vianu_CTF{heads_will_roll_for_this_one}
>TL;DR
This PCAP is a Wi‑Fi capture (802.11) containing WPA handshakes. After cracking the WPA PSK we can decrypt the wireless frames, revealing normal IP traffic including an unencrypted internal HTTP server hosting an encrypted ZIP. Cracking the ZIP password reveals an XLSX, and the flag is inside the XLSX’s XML strings.
The “layers of encryption” are literally stacked:
- WPA encryption on the Wi‑Fi
- A password‑protected ZIP delivered over HTTP
- XLSX itself is a ZIP container (not an extra password layer here, but another wrapper)
The hint “rockyou is not enough” is a nudge that you must do more than just throw rockyou at it; here we used targeted wordlists derived from context.
>Files
captures.pcapng– the provided wireless capture
>Tools used
Already present / standard
tshark(Wireshark CLI)editcap(part of Wireshark suite)unzip,zipinfogreppython3
Installed (needed)
I installed the following packages:
sudo apt-get update -y
sudo apt-get install -y hcxtools aircrack-ng
And used:
hcxpcapngtool(fromhcxtools) to extract WPA handshakes into hash formatsaircrack-ngto crack the WPA passphrasefcrackzip(was already available on the system) to crack the encrypted ZIP password
>Step 1 — Identify what kind of capture this is
First, I asked tshark for a protocol overview:
tshark -r captures.pcapng -q -z io,phs
The output shows:
radiotap→wlanframes- lots of management frames +
eapol
Why this matters:
EAPOLin a Wi‑Fi capture usually means WPA/WPA2 key exchange (4‑way handshake)- if we can crack the WPA PSK, we can decrypt the rest of the capture and see the actual IP traffic (HTTP, DNS, etc.)
>Step 2 — Find the SSID and handshake participants
Extract SSIDs/BSSIDs from beacon frames:
tshark -r captures.pcapng -Y "wlan.fc.type_subtype==8" \\
-T fields -e wlan.ssid -e wlan.bssid | sort -u
Among several SSIDs, the interesting one (challenge story) is:
- SSID:
Greedstone Holdings
Then I looked at EAPOL frames to find which BSSID has a usable handshake:
tshark -r captures.pcapng -Y eapol -T fields -e frame.number -e wlan.sa -e wlan.da -e wlan.bssid | head
This revealed a handshake involving the AP:
- BSSID:
6e:b3:40:03:fd:99
>Step 3 — Convert to hash material and crack WPA (Layer 1)
To crack WPA you need a valid handshake. hcxtools can extract it:
hcxpcapngtool -o wifi.22000 captures.pcapng > hcx_extract.log 2>&1
This produced wifi.22000 with 2 handshakes.
Why I didn’t just use rockyou
The hint says rockyou isn’t enough. Often the Wi‑Fi PSK is contextual (company name, year, simple suffix), and rockyou may not contain it.
So I generated a targeted wordlist from the scenario (company name + year + separators, a few leetspeak swaps):
python3 - <<'PY'
# (I generated a context-based list, including leetspeak variants)
# output: candidates2.txt
PY
Cracking approach
I originally tried hashcat, but in this environment it failed to compile the OpenCL kernel (CPU OpenCL issue). Instead of burning time debugging OpenCL, I switched to aircrack-ng (CPU-only) which is reliable for WPA dictionary attacks.
Aircrack expects a legacy pcap, so I converted the capture:
editcap -F pcap captures.pcapng captures.pcap
Then ran aircrack with the targeted list:
aircrack-ng -w candidates2.txt -b 6e:b3:40:03:fd:99 captures.pcap
Result:
- WPA key found:
Greedstone123
Reasoning: Greedstone123 is exactly the “corporate password” style hinted by the story.
>Step 4 — Decrypt the capture and reveal HTTP traffic
With the WPA PSK, tshark can decrypt 802.11 frames.
Wireshark/tshark uses the wpa-pwd:passphrase:ssid format. In tshark, set it via the UAT key table:
tshark -r captures.pcapng \\
-o wlan.enable_decryption:TRUE \\
-o 'uat:80211_keys:"wpa-pwd","Greedstone123:Greedstone Holdings"' \\
-q -z io,phs
Now higher-level protocols appear (ip, tcp, http, dns, tls, etc.).
To list HTTP requests:
tshark -r captures.pcapng \\
-o wlan.enable_decryption:TRUE \\
-o 'uat:80211_keys:"wpa-pwd","Greedstone123:Greedstone Holdings"' \\
-Y http.request -T fields \\
-e frame.number -e ip.src -e ip.dst -e http.host -e http.request.method -e http.request.uri
This showed an internal HTTP service (port 8000), including:
/getReport/report.zip
Why this is a big clue: the challenge description literally complains about internal HTTP being unencrypted. The capture confirming plaintext HTTP means we can recover the report content.
>Step 5 — Export HTTP objects (the report)
Tshark can export files transferred over HTTP:
mkdir -p exported
tshark -r captures.pcapng \\
-o wlan.enable_decryption:TRUE \\
-o 'uat:80211_keys:"wpa-pwd","Greedstone123:Greedstone Holdings"' \\
--export-objects http,exported
This produced:
exported/report.zip
Inspect it:
file exported/report.zip
unzip -l exported/report.zip
zipinfo -v exported/report.zip | head -n 80
It contained one file, but it was encrypted:
Greedstone_Holdings_EOY_Report.xlsx(encrypted inside the ZIP)
So we’ve hit Layer 2: a password protected ZIP.
>Step 6 — Find or crack the ZIP password (Layer 2)
There were no obvious hints in the exported directory listing HTML.
At this point, context strongly suggests a password like december2025 or a similar “month+year” phrase (the story demands “that december report” for 2025 finances).
So I built another targeted list and used fcrackzip:
python3 - <<'PY'
# generate zip_candidates.txt from context words (December, 2025, report, etc.)
PY
fcrackzip -D -p zip_candidates.txt -u exported/report.zip
Result:
- ZIP password found:
december2025
Extract with the recovered password:
mkdir -p extracted
unzip -P 'december2025' -o exported/report.zip -d extracted
Now we have:
extracted/Greedstone_Holdings_EOY_Report.xlsx
>Step 7 — Extract the flag from the XLSX (wrapper layer)
An .xlsx file is itself a ZIP of XML documents. Unpack it:
mkdir -p xlsx
unzip -o extracted/Greedstone_Holdings_EOY_Report.xlsx -d xlsx
Search for the flag format:
grep -R "Vianu_CTF{" -n xlsx
Found in xl/sharedStrings.xml:
Vianu_CTF{heads_will_roll_for_this_one}
>Why this solution path makes sense
1) The capture was clearly Wi‑Fi + WPA
Protocol hierarchy showed 802.11 frames + EAPOL → classic WPA handshake workflow.
2) The story explicitly hints “unencrypted internal HTTP”
Once Wi‑Fi is decrypted, we expect plaintext HTTP objects to be recoverable.
3) “rockyou is not enough” signals targeted passwords
Both the WPA PSK and the ZIP password are extremely guessable from story context, but not guaranteed to be in rockyou. The best strategy is to generate a smart wordlist and crack quickly.
4) Multiple encryption layers are the entire theme
WPA → HTTP download → encrypted ZIP → XLSX container. Each step reveals the next.
>References
- Wireshark User’s Guide – IEEE 802.11 / WLAN decryption (WPA passphrase format
wpa-pwd:passphrase:ssid): - https://www.wireshark.org/docs/
- hcxtools (hcxpcapngtool / 22000 format):
- https://github.com/ZerBea/hcxtools
- Aircrack-ng documentation:
- https://www.aircrack-ng.org/documentation.html
- fcrackzip usage:
- https://manpages.ubuntu.com/manpages/jammy/en/man1/fcrackzip.1.html
>Repro commands (clean summary)
# 1) Identify it’s WiFi + WPA
tshark -r captures.pcapng -q -z io,phs
# 2) Find SSID and confirm EAPOL exists
tshark -r captures.pcapng -Y "wlan.fc.type_subtype==8" -T fields -e wlan.ssid -e wlan.bssid | sort -u
# 3) Extract WPA hashes
hcxpcapngtool -o wifi.22000 captures.pcapng
# 4) Convert for aircrack
editcap -F pcap captures.pcapng captures.pcap
# 5) Crack WPA (use a targeted wordlist)
aircrack-ng -w candidates2.txt -b 6e:b3:40:03:fd:99 captures.pcap
# WPA key: Greedstone123
# 6) Decrypt + export HTTP objects
mkdir -p exported
tshark -r captures.pcapng -o wlan.enable_decryption:TRUE \\
-o 'uat:80211_keys:"wpa-pwd","Greedstone123:Greedstone Holdings"' \\
--export-objects http,exported
# 7) Crack ZIP password
fcrackzip -D -p zip_candidates.txt -u exported/report.zip
# ZIP password: december2025
# 8) Extract ZIP and locate flag in XLSX XML
mkdir -p extracted xlsx
unzip -P 'december2025' -o exported/report.zip -d extracted
unzip -o extracted/Greedstone_Holdings_EOY_Report.xlsx -d xlsx
grep -R "Vianu_CTF{" -n xlsx