FDCA Xmas 2024 Day 24 - Ragnarok et al.

Challenge Description

Danish (original)

Efter alt den hjælp vi har fået har FDCA’s SPECOPS endelig kunne trævle gennem nok af jættenettet og fået adgang til en service vi forventer kan se fremtiden. En digitalisering af Mimir’s eksistens. Ja, Odin fortæller os ligefrem, at den har svaret på livet, universet og alting.

Vi har dog noget svært ved at kommunikere med den. Den taler ikke samme sprog som os og snakker bare om “Magiske sekvenser”. Vi har derfor brug for at du finder ud af hvordan du kan kommunikere med den, og derefter skal du finde ud af, hvordan ragnarok vil starte så vi kan forhindre det en gang for alle.

English (from chatgpt)

After all the help we’ve received, FDCA’s SPECOPS has finally been able to sift through enough of the giant network and gained access to a service we expect can foresee the future. A digitization of Mimir’s existence. Yes, Odin even tells us that it has the answer to life, the universe, and everything.

However, we have some difficulty communicating with it. It doesn’t speak the same language as us and just keeps talking about ‘Magical sequences.’ Therefore, we need you to figure out how to communicate with it, and then you need to find out how Ragnarok will begin so we can prevent it once and for all.

Solution

General note: The session can easily hang, if it does: CTRL-C and connect again.

Snorting out the sequence

We are given the domain and port combo of ragnarok.jættenettet.dk 42, connecting to it using nc we get:

$ nc ragnarok.jættenettet.dk 42
You are now communicating with Mimir's magic sequence SNORT'er, version 2.9.20.
The gateway for puny minds to fathom a small part of the infinite future.
###############################################################################

Please input your magical sequence:
>>>

From the text we can deduce that this is snort, and as I found out from writing var test test and getting Unknown rule type: var this is snort rules. So using section 3 of the snort user manual we can get the syntax.

Giant’s guide

So lets try and find something to get a foothold of the situation, lets search for ragnarok in tcp packets:

Please input your magical sequence:
>>> alert tcp any any -> any any (content:"ragnarok"; sid:1)

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:10.995364  [**] [1:1:0] [**] [Priority: 0] {TCP} 0.0.0.0:60842 -> 76.123.42.19:80
12/24-15:00:10.995364 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA6
0.0.0.0:60842 -> 76.123.42.19:80 TCP TTL:64 TOS:0x0 ID:4638 IpLen:20 DgmLen:152 DF
***AP*** Seq: 0x7941BC2F  Ack: 0xED3C7DAE  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4053075816 1122287092
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 98 12 1E 40 00 40 06 B1 B4 00 00 00 00 4C 7B  ....@.@.......L{
0x0020: 2A 13 ED AA 00 50 79 41 BC 2F ED 3C 7D AE 80 18  *....PyA./.<}...
0x0030: 02 00 E0 4F 00 00 01 01 08 0A F1 95 07 68 42 E4  ...O.........hB.
0x0040: BD F4 47 45 54 20 2F 72 61 67 6E 61 72 6F 6B 5F  ..GET /ragnarok_
0x0050: 67 75 69 64 65 2E 68 74 6D 6C 20 48 54 54 50 2F  guide.html HTTP/
0x0060: 31 2E 31 0D 0A 48 6F 73 74 3A 20 6A 61 65 74 74  1.1..Host: jaett
0x0070: 65 67 75 69 64 65 2E 6F 6E 6C 69 6E 65 0D 0A 55  eguide.online..U
0x0080: 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C 2F  ser-Agent: curl/
0x0090: 38 2E 35 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A  8.5.0..Accept: *
0x00A0: 2F 2A 0D 0A 0D 0A                                /*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:11.015369  [**] [1:1:0] [**] [Priority: 0] {TCP} 76.123.42.19:80 -> 0.0.0.0:60842
12/24-15:00:11.015369 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x261
76.123.42.19:80 -> 0.0.0.0:60842 TCP TTL:64 TOS:0x0 ID:859 IpLen:20 DgmLen:595 DF
***AP*** Seq: 0xED3C7DAE  Ack: 0x7941BC93  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1122287112 4053075816
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 02 53 03 5B 40 00 40 06 BE BC 4C 7B 2A 13 00 00  .S.[@.@...L{*...
0x0020: 00 00 00 50 ED AA ED 3C 7D AE 79 41 BC 93 80 18  ...P...<}.yA....
0x0030: 02 00 A7 7B 00 00 01 01 08 0A 42 E4 BE 08 F1 95  ...{......B.....
0x0040: 07 68 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F  .hHTTP/1.1 200 O
0x0050: 4B 0D 0A 44 61 74 65 3A 20 54 75 65 2C 20 32 34  K..Date: Tue, 24
0x0060: 20 44 65 63 20 32 30 32 34 20 31 35 3A 30 30 3A   Dec 2024 15:00:
0x0070: 31 31 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D  11 GMT..Content-
0x0080: 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D  Type: text/html.
0x0090: 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43 6C 6F  .Connection: Clo
0x00A0: 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67  se..Content-Leng
0x00B0: 74 68 3A 20 33 39 39 0D 0A 53 65 72 76 65 72 3A  th: 399..Server:
0x00C0: 20 44 69 70 20 49 6E 74 6F 20 54 69 6D 65 0D 0A   Dip Into Time..
0x00D0: 0D 0A 3C 68 74 6D 6C 3E 0A 20 20 3C 68 65 61 64  ..<html>.  <head
0x00E0: 3E 0A 20 20 09 3C 74 69 74 6C 65 3E 54 68 65 20  >.  .<title>The
0x00F0: 6C 61 6E 64 69 6E 67 20 6F 66 20 74 68 65 20 4A  landing of the J
0x0100: 61 65 74 74 65 20 47 75 69 64 65 20 4F 6E 6C 69  aette Guide Onli
0x0110: 6E 65 20 76 65 72 73 69 6F 6E 2E 3C 2F 74 69 74  ne version.</tit
0x0120: 6C 65 3E 0A 20 20 3C 2F 68 65 61 64 3E 0A 20 20  le>.  </head>.
0x0130: 3C 62 6F 64 79 3E 0A 20 20 20 20 3C 70 3E 3C 2F  <body>.    <p></
0x0140: 70 3E 0A 20 20 20 20 3C 70 20 61 6C 69 67 6E 3D  p>.    <p align=
0x0150: 22 63 65 6E 74 65 72 22 3E 54 68 69 73 20 69 73  "center">This is
0x0160: 20 74 68 65 20 6C 61 74 65 73 74 20 67 75 69 64   the latest guid
0x0170: 65 20 66 6F 72 20 4A 61 65 74 74 65 72 20 74 6F  e for Jaetter to
0x0180: 20 73 68 61 72 65 20 70 6C 61 6E 73 20 66 6F 72   share plans for
0x0190: 20 72 61 67 6E 61 72 6F 6B 2E 3C 2F 70 3E 0A 20   ragnarok.</p>.
0x01A0: 20 20 20 3C 70 20 61 6C 69 67 6E 3D 22 63 65 6E     <p align="cen
0x01B0: 74 65 72 22 3E 6D 6F 72 65 20 64 65 74 61 69 6C  ter">more detail
0x01C0: 73 20 63 61 6E 20 62 65 20 66 6F 75 6E 64 20 61  s can be found a
0x01D0: 74 20 3C 61 20 68 72 65 66 3D 2F 70 6C 61 6E 73  t <a href=/plans
0x01E0: 2E 74 78 74 3E 64 61 72 6B 20 70 6C 61 6E 73 3C  .txt>dark plans<
0x01F0: 2F 61 3E 3C 2F 70 3E 0A 20 20 20 20 3C 70 20 61  /a></p>.    <p a
0x0200: 6C 69 67 6E 3D 22 63 65 6E 74 65 72 22 3E 49 66  lign="center">If
0x0210: 20 79 6F 75 20 68 61 76 65 20 70 72 6F 62 6C 65   you have proble
0x0220: 6D 20 70 6C 65 61 73 65 20 6C 65 74 20 74 68 65  m please let the
0x0230: 6D 20 62 65 20 6B 6E 6F 77 6E 20 74 6F 20 68 65  m be known to he
0x0240: 6C 68 69 65 6D 2E 3C 2F 61 3E 3C 2F 70 3E 0A 20  lhiem.</a></p>.
0x0250: 20 3C 2F 62 6F 64 79 3E 0A 3C 2F 68 74 6D 6C 3E   </body>.</html>
0x0260: 0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

We get part of a http session, where someone visited http://jaetteguide.online/ragnarok_guide.html and given a page with a link to http://jaetteguide.online/plans.txt. We now know that jaetteguide.online = 76.123.42.16.

Lets get some more of this session by finding the http request for /plans.txt, and then use the client port number from that to find the response:

Please input your magical sequence:
>>> alert tcp any any -> 76.123.42.19 80 (content:"plans.txt"; sid:1)

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:14.155248  [**] [1:1:0] [**] [Priority: 0] {TCP} 0.0.0.0:60906 -> 76.123.42.19:80
12/24-15:00:14.155248 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x9C
0.0.0.0:60906 -> 76.123.42.19:80 TCP TTL:64 TOS:0x0 ID:1434 IpLen:20 DgmLen:142 DF
***AP*** Seq: 0x74DAA468  Ack: 0x65281863  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4053078976 1122290252
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 8E 05 9A 40 00 40 06 BE 42 00 00 00 00 4C 7B  ....@.@..B....L{
0x0020: 2A 13 ED EA 00 50 74 DA A4 68 65 28 18 63 80 18  *....Pt..he(.c..
0x0030: 02 00 08 BD 00 00 01 01 08 0A F1 95 13 C0 42 E4  ..............B.
0x0040: CA 4C 47 45 54 20 2F 70 6C 61 6E 73 2E 74 78 74  .LGET /plans.txt
0x0050: 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
0x0060: 20 6A 61 65 74 74 65 67 75 69 64 65 2E 6F 6E 6C   jaetteguide.onl
0x0070: 69 6E 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  ine..User-Agent:
0x0080: 20 63 75 72 6C 2F 38 2E 35 2E 30 0D 0A 41 63 63   curl/8.5.0..Acc
0x0090: 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A              ept: */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Please input your magical sequence:
>>> alert tcp 76.123.42.19 80 -> 0.0.0.0 60906

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:14.155114  [**] [1:0:0] [**] [Priority: 0] {TCP} 76.123.42.19:80 -> 0.0.0.0:60906
12/24-15:00:14.155114 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x4A
76.123.42.19:80 -> 0.0.0.0:60906 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x65281862  Ack: 0x74DAA468  Win: 0xFFCB  TcpLen: 40
TCP Options (5) => MSS: 65495 SackOK TS: 1122290252 4053078976 NOP WS: 7
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 3C 00 00 40 00 40 06 C4 2E 4C 7B 2A 13 00 00  .<..@.@...L{*...
0x0020: 00 00 00 50 ED EA 65 28 18 62 74 DA A4 68 A0 12  ...P..e(.bt..h..
0x0030: FF CB 3F E3 00 00 02 04 FF D7 04 02 08 0A 42 E4  ..?...........B.
0x0040: CA 4C F1 95 13 C0 01 03 03 07                    .L........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:14.155256  [**] [1:0:0] [**] [Priority: 0] {TCP} 76.123.42.19:80 -> 0.0.0.0:60906
12/24-15:00:14.155256 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x42
76.123.42.19:80 -> 0.0.0.0:60906 TCP TTL:64 TOS:0x0 ID:62995 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x65281863  Ack: 0x74DAA4C2  Win: 0x1FF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1122290252 4053078976
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 34 F6 13 40 00 40 06 CE 22 4C 7B 2A 13 00 00  .4..@.@.."L{*...
0x0020: 00 00 00 50 ED EA 65 28 18 63 74 DA A4 C2 80 10  ...P..e(.ct.....
0x0030: 01 FF 66 46 00 00 01 01 08 0A 42 E4 CA 4C F1 95  ..fF......B..L..
0x0040: 13 C0                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:14.178153  [**] [1:0:0] [**] [Priority: 0] {TCP} 76.123.42.19:80 -> 0.0.0.0:60906
12/24-15:00:14.178153 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x19C
76.123.42.19:80 -> 0.0.0.0:60906 TCP TTL:64 TOS:0x0 ID:62996 IpLen:20 DgmLen:398 DF
***AP*** Seq: 0x65281863  Ack: 0x74DAA4C2  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1122290275 4053078976
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 01 8E F6 14 40 00 40 06 CC C7 4C 7B 2A 13 00 00  ....@.@...L{*...
0x0020: 00 00 00 50 ED EA 65 28 18 63 74 DA A4 C2 80 18  ...P..e(.ct.....
0x0030: 02 00 12 67 00 00 01 01 08 0A 42 E4 CA 63 F1 95  ...g......B..c..
0x0040: 13 C0 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F  ..HTTP/1.1 200 O
0x0050: 4B 0D 0A 44 61 74 65 3A 20 54 75 65 2C 20 32 34  K..Date: Tue, 24
0x0060: 20 44 65 63 20 32 30 32 34 20 31 35 3A 30 30 3A   Dec 2024 15:00:
0x0070: 31 34 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D  14 GMT..Content-
0x0080: 54 79 70 65 3A 20 74 65 78 74 2F 70 6C 61 69 6E  Type: text/plain
0x0090: 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43 6C  ..Connection: Cl
0x00A0: 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E  ose..Content-Len
0x00B0: 67 74 68 3A 20 32 30 31 0D 0A 53 65 72 76 65 72  gth: 201..Server
0x00C0: 3A 20 44 69 70 20 49 6E 74 6F 20 54 69 6D 65 0D  : Dip Into Time.
0x00D0: 0A 0D 0A 54 68 65 20 67 72 65 61 74 20 52 C3 A1  ...The great R..
0x00E0: 67 6E 61 72 C3 B5 6B 20 77 69 6C 6C 20 68 61 70  gnar..k will hap
0x00F0: 70 65 6E 20 74 68 65 20 32 34 74 68 20 64 61 79  pen the 24th day
0x0100: 20 6F 66 20 74 68 65 20 6C 61 73 74 20 6D 6F 6E   of the last mon
0x0110: 74 68 20 6F 66 20 74 68 65 20 32 34 74 68 20 79  th of the 24th y
0x0120: 65 61 72 20 6F 66 20 74 68 65 20 32 74 68 20 6D  ear of the 2th m
0x0130: 69 6C 6C 65 6E 6E 69 61 2E 0A 50 6C 65 61 73 65  illennia..Please
0x0140: 20 73 65 6E 64 20 61 6E 79 20 66 75 72 74 68 65   send any furthe
0x0150: 72 20 63 6F 6D 6D 75 6E 69 63 61 74 69 6F 6E 20  r communication
0x0160: 74 6F 20 63 6F 6D 6D 75 6E 65 2E 68 65 6C 68 69  to commune.helhi
0x0170: 65 6D 20 66 6F 72 20 66 75 72 74 68 65 72 20 63  em for further c
0x0180: 6F 6F 72 64 69 6E 61 74 69 6F 6E 20 61 6E 64 20  oordination and
0x0190: 71 75 65 73 74 69 6F 6E 73 2E 0A 0A              questions...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:14.181339  [**] [1:0:0] [**] [Priority: 0] {TCP} 76.123.42.19:80 -> 0.0.0.0:60906
12/24-15:00:14.181339 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x42
76.123.42.19:80 -> 0.0.0.0:60906 TCP TTL:64 TOS:0x0 ID:62997 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x652819BD  Ack: 0x74DAA4C3  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1122290278 4053078999
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 34 F6 15 40 00 40 06 CE 20 4C 7B 2A 13 00 00  .4..@.@.. L{*...
0x0020: 00 00 00 50 ED EA 65 28 19 BD 74 DA A4 C3 80 11  ...P..e(..t.....
0x0030: 02 00 64 B8 00 00 01 01 08 0A 42 E4 CA 66 F1 95  ..d.......B..f..
0x0040: 13 D7                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Looking at the response we see that we are referred to commune.helhiem

Where the Giants commune

Lets find the IP address for commune.helhiem by looking for DNS requests:

Please input your magical sequence:
>>> alert udp any any -> any any (content:"commune"; sid:1)

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:19.953618  [**] [1:1:0] [**] [Priority: 0] {UDP} 0.0.0.0:45595 -> 53.255.255.35:53
12/24-15:00:19.953618 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x62
0.0.0.0:45595 -> 53.255.255.35:53 UDP TTL:64 TOS:0x0 ID:11132 IpLen:20 DgmLen:84
Len: 56
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 54 2B 7C 00 00 40 11 19 FB 00 00 00 00 35 FF  .T+|..@.......5.
0x0020: FF 23 B2 1B 00 35 00 40 C4 F2 B2 6A 01 20 00 01  .#...5.@...j. ..
0x0030: 00 00 00 00 00 01 07 63 6F 6D 6D 75 6E 65 07 68  .......commune.h
0x0040: 65 6C 68 69 65 6D 00 00 01 00 01 00 00 29 04 D0  elhiem.......)..
0x0050: 00 00 00 00 00 0C 00 0A 00 08 05 C1 34 1D E7 7A  ............4..z
0x0060: E9 B4                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:19.963686  [**] [1:1:0] [**] [Priority: 0] {UDP} 53.255.255.35:53 -> 0.0.0.0:45595
12/24-15:00:19.963686 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x5B
53.255.255.35:53 -> 0.0.0.0:45595 UDP TTL:64 TOS:0x0 ID:51277 IpLen:20 DgmLen:77 DF
Len: 49
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 4D C8 4D 40 00 40 11 3D 30 35 FF FF 23 00 00  .M.M@.@.=05..#..
0x0020: 00 00 00 35 B2 1B 00 39 2E 77 B2 6A 85 00 00 01  ...5...9.w.j....
0x0030: 00 01 00 00 00 00 07 63 6F 6D 6D 75 6E 65 07 68  .......commune.h
0x0040: 65 6C 68 69 65 6D 00 00 01 00 01 C0 0C 00 01 00  elhiem..........
0x0050: 01 00 00 0E 10 00 04 FF FF FF FF                 ...........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The second message is the response, the last 4 bytes are the IP address, so in this case 255.255.255.255 or local broadcast. Lets see traffic to and from this then (note: only udp is possible since it is broadcast):

Please input your magical sequence:
>>> alert udp any any <> 255.255.255.255 any

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:09.650083  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:49441 -> 255.255.255.255:514
12/24-15:00:09.650083 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xAA
0.0.0.0:49441 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:18382 IpLen:20 DgmLen:156 DF
Len: 128
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 9C 47 CE 40 00 40 11 F2 83 00 00 00 00 FF FF  ..G.@.@.........
0x0020: FF FF C1 21 02 02 00 88 C1 8A 3C 31 33 3E 31 20  ...!......<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 30 39 2E 36 35 30 30 30 34 2B 30 31 3A 30 30  :09.650004+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 66 65 6E 72   Muspelhiem fenr
0x0060: 69 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C  ir - - [timeQual
0x0070: 69 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20  ity tzKnown="1"
0x0080: 69 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 53 75  isSynced="0"] Su
0x0090: 72 74 72 20 68 61 73 20 69 6E 74 65 72 65 73 74  rtr has interest
0x00A0: 69 6E 67 20 70 6F 69 6E 74 73                    ing points

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:21.010607  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:59858 -> 255.255.255.255:514
12/24-15:00:21.010607 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA5
0.0.0.0:59858 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:42167 IpLen:20 DgmLen:151 DF
Len: 123
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 97 A4 B7 40 00 40 11 95 9F 00 00 00 00 FF FF  ....@.@.........
0x0020: FF FF E9 D2 02 02 00 83 17 20 3C 31 33 3E 31 20  ......... <13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 32 31 2E 30 31 30 35 32 37 2B 30 31 3A 30 30  :21.010527+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 53 75 72 74   Muspelhiem Surt
0x0060: 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C 69  r - - [timeQuali
0x0070: 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20 69  ty tzKnown="1" i
0x0080: 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 54 68 69  sSynced="0"] Thi
0x0090: 73 20 68 6F 77 20 69 74 73 20 64 6F 6E 65 20 72  s how its done r
0x00A0: 69 67 68 74 3F                                   ight?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:22.016927  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:52152 -> 255.255.255.255:514
12/24-15:00:22.016927 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA8
0.0.0.0:52152 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:48075 IpLen:20 DgmLen:154 DF
Len: 126
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 9A BB CB 40 00 40 11 7E 88 00 00 00 00 FF FF  ....@.@.~.......
0x0020: FF FF CB B8 02 02 00 86 23 D1 3C 31 33 3E 31 20  ........#.<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 32 32 2E 30 31 36 38 31 37 2B 30 31 3A 30 30  :22.016817+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 53 75 72 74   Muspelhiem Surt
0x0060: 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C 69  r - - [timeQuali
0x0070: 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20 69  ty tzKnown="1" i
0x0080: 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 49 27 6C  sSynced="0"] I'l
0x0090: 6C 20 74 61 6B 65 20 73 69 6C 65 6E 63 65 20 61  l take silence a
0x00A0: 73 20 61 20 79 65 73 2E                          s a yes.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:24.150709  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:36196 -> 255.255.255.255:514
12/24-15:00:24.150709 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xB8
0.0.0.0:36196 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:42611 IpLen:20 DgmLen:170 DF
Len: 142
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 AA A6 73 40 00 40 11 93 D0 00 00 00 00 FF FF  ...s@.@.........
0x0020: FF FF 8D 64 02 02 00 96 40 9C 3C 31 33 3E 31 20  ...d....@.<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 32 34 2E 31 35 30 36 33 37 2B 30 31 3A 30 30  :24.150637+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 53 75 72 74   Muspelhiem Surt
0x0060: 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C 69  r - - [timeQuali
0x0070: 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20 69  ty tzKnown="1" i
0x0080: 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 4D 75 73  sSynced="0"] Mus
0x0090: 70 65 6C 68 69 65 6D 20 69 73 20 70 72 65 70 61  pelhiem is prepa
0x00A0: 72 65 64 2C 20 74 68 65 20 67 6F 64 73 20 77 69  red, the gods wi
0x00B0: 6C 6C 20 66 61 6C 6C 2E                          ll fall.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:28.351521  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:38287 -> 255.255.255.255:514
12/24-15:00:28.351521 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xBB
0.0.0.0:38287 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:28571 IpLen:20 DgmLen:173 DF
Len: 145
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 AD 6F 9B 40 00 40 11 CA A5 00 00 00 00 FF FF  ..o.@.@.........
0x0020: FF FF 95 8F 02 02 00 99 CB E1 3C 31 33 3E 31 20  ..........<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 32 38 2E 33 35 31 34 33 37 2B 30 31 3A 30 30  :28.351437+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 53 75 72 74   Muspelhiem Surt
0x0060: 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C 69  r - - [timeQuali
0x0070: 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20 69  ty tzKnown="1" i
0x0080: 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 4C 6F 6F  sSynced="0"] Loo
0x0090: 6B 20 66 6F 72 20 74 68 65 20 72 69 76 65 72 2E  k for the river.
0x00A0: 65 6E 64 20 74 6F 20 67 61 74 68 65 72 20 74 68  end to gather th
0x00B0: 65 20 6C 61 73 74 20 66 6C 61 67                 e last flag

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:29.623636  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:58908 -> 255.255.255.255:514
12/24-15:00:29.623636 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xA9
0.0.0.0:58908 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:26020 IpLen:20 DgmLen:155 DF
Len: 127
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 9B 65 A4 40 00 40 11 D4 AE 00 00 00 00 FF FF  ..e.@.@.........
0x0020: FF FF E6 1C 02 02 00 87 CE 04 3C 31 33 3E 31 20  ..........<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 32 39 2E 36 32 33 35 34 39 2B 30 31 3A 30 30  :29.623549+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 53 75 72 74   Muspelhiem Surt
0x0060: 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C 69  r - - [timeQuali
0x0070: 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20 69  ty tzKnown="1" i
0x0080: 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 4D 61 72  sSynced="0"] Mar
0x0090: 63 68 69 6E 67 20 74 6F 20 77 61 72 2C 20 6E 6F  ching to war, no
0x00A0: 77 20 77 65 20 61 72 65 2E                       w we are.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:38.979519  [**] [1:0:0] [**] [Priority: 0] {UDP} 0.0.0.0:54473 -> 255.255.255.255:514
12/24-15:00:38.979519 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xAA
0.0.0.0:54473 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:16953 IpLen:20 DgmLen:156 DF
Len: 128
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 9C 42 39 40 00 40 11 F8 18 00 00 00 00 FF FF  ..B9@.@.........
0x0020: FF FF D4 C9 02 02 00 88 9D DA 3C 31 33 3E 31 20  ..........<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 33 38 2E 39 37 39 34 35 33 2B 30 31 3A 30 30  :38.979453+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 66 65 6E 72   Muspelhiem fenr
0x0060: 69 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C  ir - - [timeQual
0x0070: 69 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20  ity tzKnown="1"
0x0080: 69 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 53 75  isSynced="0"] Su
0x0090: 72 74 72 20 68 61 73 20 69 6E 74 65 72 65 73 74  rtr has interest
0x00A0: 69 6E 67 20 70 6F 69 6E 74 73                    ing points

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

We find a chat, important here is the mention of river.end.

The planted flag at the river’s end

Once again, lets first find the IP address of river.end:

Please input your magical sequence:
>>> alert udp any any -> any any (content:"river"; sid:1)

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:28.351521  [**] [1:1:0] [**] [Priority: 0] {UDP} 0.0.0.0:38287 -> 255.255.255.255:514
12/24-15:00:28.351521 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0xBB
0.0.0.0:38287 -> 255.255.255.255:514 UDP TTL:64 TOS:0x0 ID:28571 IpLen:20 DgmLen:173 DF
Len: 145
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 AD 6F 9B 40 00 40 11 CA A5 00 00 00 00 FF FF  ..o.@.@.........
0x0020: FF FF 95 8F 02 02 00 99 CB E1 3C 31 33 3E 31 20  ..........<13>1
0x0030: 32 30 32 34 2D 31 32 2D 32 34 54 31 36 3A 30 30  2024-12-24T16:00
0x0040: 3A 32 38 2E 33 35 31 34 33 37 2B 30 31 3A 30 30  :28.351437+01:00
0x0050: 20 4D 75 73 70 65 6C 68 69 65 6D 20 53 75 72 74   Muspelhiem Surt
0x0060: 72 20 2D 20 2D 20 5B 74 69 6D 65 51 75 61 6C 69  r - - [timeQuali
0x0070: 74 79 20 74 7A 4B 6E 6F 77 6E 3D 22 31 22 20 69  ty tzKnown="1" i
0x0080: 73 53 79 6E 63 65 64 3D 22 30 22 5D 20 4C 6F 6F  sSynced="0"] Loo
0x0090: 6B 20 66 6F 72 20 74 68 65 20 72 69 76 65 72 2E  k for the river.
0x00A0: 65 6E 64 20 74 6F 20 67 61 74 68 65 72 20 74 68  end to gather th
0x00B0: 65 20 6C 61 73 74 20 66 6C 61 67                 e last flag

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:34.641058  [**] [1:1:0] [**] [Priority: 0] {UDP} 0.0.0.0:50706 -> 53.255.255.35:53
12/24-15:00:34.641058 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x5C
0.0.0.0:50706 -> 53.255.255.35:53 UDP TTL:64 TOS:0x0 ID:7390 IpLen:20 DgmLen:78
Len: 50
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 4E 1C DE 00 00 40 11 28 9F 00 00 00 00 35 FF  .N....@.(.....5.
0x0020: FF 23 C6 12 00 35 00 3A A2 09 78 B9 01 20 00 01  .#...5.:..x.. ..
0x0030: 00 00 00 00 00 01 05 72 69 76 65 72 03 65 6E 64  .......river.end
0x0040: 00 00 01 00 01 00 00 29 04 D0 00 00 00 00 00 0C  .......)........
0x0050: 00 0A 00 08 E0 6B 92 62 DB 5E 4C C2              .....k.b.^L.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:34.650697  [**] [1:1:0] [**] [Priority: 0] {UDP} 53.255.255.35:53 -> 0.0.0.0:50706
12/24-15:00:34.650697 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x55
53.255.255.35:53 -> 0.0.0.0:50706 UDP TTL:64 TOS:0x0 ID:60202 IpLen:20 DgmLen:71 DF
Len: 43
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 47 EB 2A 40 00 40 11 1A 59 35 FF FF 23 00 00  .G.*@.@..Y5..#..
0x0020: 00 00 00 35 C6 12 00 33 36 0A 78 B9 85 00 00 01  ...5...36.x.....
0x0030: 00 01 00 00 00 00 05 72 69 76 65 72 03 65 6E 64  .......river.end
0x0040: 00 00 01 00 01 C0 0C 00 01 00 01 00 00 0E 10 00  ................
0x0050: 04 65 00 00 65                                   .e..e

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Decoding the IP bytes, we get 101.0.0.101, so lets have a look:

Please input your magical sequence:
>>> alert tcp any any <> 101.0.0.101 any

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:35.891970  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.891970 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x4A
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x0 ID:21553 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7661A44A  Ack: 0x0  Win: 0xFFFF  TcpLen: 40
TCP Options (5) => MSS: 65495 SackOK TS: 1614795381 0 NOP WS: 2
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 3C 54 31 40 00 40 06 81 26 00 00 00 00 65 00  .<T1@.@..&....e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 4A 00 00 00 00 A0 02  .e.N..va.J......
0x0030: FF FF B0 B7 00 00 02 04 FF D7 04 02 08 0A 60 3F  ..............`?
0x0040: D2 75 00 00 00 00 01 03 03 02                    .u........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.891987  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.891987 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x4A
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xB9BA3BDC  Ack: 0x7661A44B  Win: 0xFFCB  TcpLen: 40
TCP Options (5) => MSS: 65495 SackOK TS: 473181618 1614795381 NOP WS: 7
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 3C 00 00 40 00 40 06 D5 57 65 00 00 65 00 00  .<..@.@..We..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3B DC 76 61 A4 4B A0 12  .....N..;.va.K..
0x0030: FF CB 71 58 00 00 02 04 FF D7 04 02 08 0A 1C 34  ..qX...........4
0x0040: 2D B2 60 3F D2 75 01 03 03 07                    -.`?.u....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.892002  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.892002 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x42
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x0 ID:21554 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7661A44B  Ack: 0xB9BA3BDD  Win: 0x4000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1614795381 473181618
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 34 54 32 40 00 40 06 81 2D 00 00 00 00 65 00  .4T2@.@..-....e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 4B B9 BA 3B DD 80 10  .e.N..va.K..;...
0x0030: 40 00 5A 14 00 00 01 01 08 0A 60 3F D2 75 1C 34  @.Z.......`?.u.4
0x0040: 2D B2                                            -.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.898791  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.898791 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x62
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38858 IpLen:20 DgmLen:84 DF
***AP*** Seq: 0xB9BA3BDD  Ack: 0x7661A44B  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181624 1614795381
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 54 97 CA 40 00 40 06 3D 75 65 00 00 65 00 00  .T..@.@.=ue..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3B DD 76 61 A4 4B 80 18  .....N..;.va.K..
0x0030: 02 00 97 D9 00 00 01 01 08 0A 1C 34 2D B8 60 3F  ...........4-.`?
0x0040: D2 75 32 32 30 20 52 69 76 65 72 20 66 72 6F 6D  .u220 River from
0x0050: 20 74 68 65 20 45 6E 64 20 6F 66 20 74 69 6D 65   the End of time
0x0060: 0D 0A                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.898834  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.898834 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x42
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x10 ID:21555 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7661A44B  Ack: 0xB9BA3BFD  Win: 0x4000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1614795387 473181624
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 10  ..............E.
0x0010: 00 34 54 33 40 00 40 06 81 1C 00 00 00 00 65 00  .4T3@.@.......e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 4B B9 BA 3B FD 80 10  .e.N..va.K..;...
0x0030: 40 00 59 E8 00 00 01 01 08 0A 60 3F D2 7B 1C 34  @.Y.......`?.{.4
0x0040: 2D B8                                            -.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.899104  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.899104 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x52
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x10 ID:21556 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0x7661A44B  Ack: 0xB9BA3BFD  Win: 0x4000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1614795388 473181624
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 10  ..............E.
0x0010: 00 44 54 34 40 00 40 06 81 0B 00 00 00 00 65 00  .DT4@.@.......e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 4B B9 BA 3B FD 80 18  .e.N..va.K..;...
0x0030: 40 00 D1 F2 00 00 01 01 08 0A 60 3F D2 7C 1C 34  @.........`?.|.4
0x0040: 2D B8 55 53 45 52 20 61 6E 6F 6E 79 6D 6F 75 73  -.USER anonymous
0x0050: 0D 0A                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.899123  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.899123 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x42
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38859 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xB9BA3BFD  Ack: 0x7661A45B  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181625 1614795388
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 34 97 CB 40 00 40 06 3D 94 65 00 00 65 00 00  .4..@.@.=.e..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3B FD 76 61 A4 5B 80 10  .....N..;.va.[..
0x0030: 02 00 97 D6 00 00 01 01 08 0A 1C 34 2D B9 60 3F  ...........4-.`?
0x0040: D2 7C                                            .|

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.901267  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.901267 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x64
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38860 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xB9BA3BFD  Ack: 0x7661A45B  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181627 1614795388
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 56 97 CC 40 00 40 06 3D 71 65 00 00 65 00 00  .V..@.@.=qe..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3B FD 76 61 A4 5B 80 18  .....N..;.va.[..
0x0030: 02 00 50 89 00 00 01 01 08 0A 1C 34 2D BB 60 3F  ..P........4-.`?
0x0040: D2 7C 33 33 31 20 50 6C 65 61 73 65 20 73 70 65  .|331 Please spe
0x0050: 63 69 66 79 20 74 68 65 20 70 61 73 73 77 6F 72  cify the passwor
0x0060: 64 2E 0D 0A                                      d...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.901403  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.901403 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x53
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x10 ID:21557 IpLen:20 DgmLen:69 DF
***AP*** Seq: 0x7661A45B  Ack: 0xB9BA3C1F  Win: 0x4000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1614795390 473181627
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 10  ..............E.
0x0010: 00 45 54 35 40 00 40 06 81 09 00 00 00 00 65 00  .ET5@.@.......e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 5B B9 BA 3C 1F 80 18  .e.N..va.[..<...
0x0030: 40 00 8B C8 00 00 01 01 08 0A 60 3F D2 7E 1C 34  @.........`?.~.4
0x0040: 2D BB 50 41 53 53 20 61 6E 6F 6E 79 6D 6F 75 73  -.PASS anonymous
0x0050: 40 0D 0A                                         @..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.903406  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.903406 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x59
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38861 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0xB9BA3C1F  Ack: 0x7661A46C  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181629 1614795390
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 4B 97 CD 40 00 40 06 3D 7B 65 00 00 65 00 00  .K..@.@.={e..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3C 1F 76 61 A4 6C 80 18  .....N..<.va.l..
0x0030: 02 00 B6 05 00 00 01 01 08 0A 1C 34 2D BD 60 3F  ...........4-.`?
0x0040: D2 7E 32 33 30 20 4C 6F 67 69 6E 20 73 75 63 63  .~230 Login succ
0x0050: 65 73 73 66 75 6C 2E 0D 0A                       essful...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.903596  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.903596 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x48
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x10 ID:21558 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x7661A46C  Ack: 0xB9BA3C36  Win: 0x4000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1614795392 473181629
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 10  ..............E.
0x0010: 00 3A 54 36 40 00 40 06 81 13 00 00 00 00 65 00  .:T6@.@.......e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 6C B9 BA 3C 36 80 18  .e.N..va.l..<6..
0x0030: 40 00 A5 BE 00 00 01 01 08 0A 60 3F D2 80 1C 34  @.........`?...4
0x0040: 2D BD 53 59 53 54 0D 0A                          -.SYST..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.905623  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.905623 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x55
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38862 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0xB9BA3C36  Ack: 0x7661A472  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181631 1614795392
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 47 97 CE 40 00 40 06 3D 7E 65 00 00 65 00 00  .G..@.@.=~e..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3C 36 76 61 A4 72 80 18  .....N..<6va.r..
0x0030: 02 00 30 11 00 00 01 01 08 0A 1C 34 2D BF 60 3F  ..0........4-.`?
0x0040: D2 80 32 31 35 20 55 4E 49 58 20 54 79 70 65 3A  ..215 UNIX Type:
0x0050: 20 4C 38 0D 0A                                    L8..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.905774  [**] [1:0:0] [**] [Priority: 0] {TCP} 0.0.0.0:59982 -> 101.0.0.101:21
12/24-15:00:35.905774 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x48
0.0.0.0:59982 -> 101.0.0.101:21 TCP TTL:64 TOS:0x10 ID:21559 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x7661A472  Ack: 0xB9BA3C49  Win: 0x4000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1614795394 473181631
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 10  ..............E.
0x0010: 00 3A 54 37 40 00 40 06 81 12 00 00 00 00 65 00  .:T7@.@.......e.
0x0020: 00 65 EA 4E 00 15 76 61 A4 72 B9 BA 3C 49 80 18  .e.N..va.r..<I..
0x0030: 40 00 C4 B5 00 00 01 01 08 0A 60 3F D2 82 1C 34  @.........`?...4
0x0040: 2D BF 46 45 41 54 0D 0A                          -.FEAT..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


12/24-15:00:35.907596  [**] [1:0:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.907596 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x58
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38863 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0xB9BA3C49  Ack: 0x7661A478  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181633 1614795394
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 00 4A 97 CF 40 00 40 06 3D 7A 65 00 00 65 00 00  .J..@.@.=ze..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3C 49 76 61 A4 78 80 18  .....N..<Iva.x..
0x0030: 02 00 EF F8 00 00 01 01 08 0A 1C 34 2D C1 60 3F  ...........4-.`?
0x0040: D2 82 35 30 30 20 55 6E 6B 6E 6F 77 6E 20 63 6F  ..500 Unknown co

...TRUNCATED RESPONSE...

It is a FTP session, but it is so long that the output is truncated, so lets do some content filtering to find what we want (I tried to look for a few things, but file worked):

Please input your magical sequence:
>>> alert tcp any any <> 101.0.0.101 21 (content:"file"; sid:1)

Sequence recieved. Validating magic sequence...
Validation succeeded. Beginning sequencing of your submission...
SNORT'er finished with the following results:
12/24-15:00:35.959223  [**] [1:1:0] [**] [Priority: 0] {TCP} 101.0.0.101:21 -> 0.0.0.0:59982
12/24-15:00:35.959223 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x1B6
101.0.0.101:21 -> 0.0.0.0:59982 TCP TTL:64 TOS:0x0 ID:38869 IpLen:20 DgmLen:424 DF
***AP*** Seq: 0xB9BA3CEE  Ack: 0x7661A4B1  Win: 0x200  TcpLen: 32
TCP Options (3) => NOP NOP TS: 473181685 1614795448
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
0x0010: 01 A8 97 D5 40 00 40 06 3C 16 65 00 00 65 00 00  ....@.@.<.e..e..
0x0020: 00 00 00 15 EA 4E B9 BA 3C EE 76 61 A4 B1 80 18  .....N..<.va....
0x0030: 02 00 B6 89 00 00 01 01 08 0A 1C 34 2D F5 60 3F  ...........4-.`?
0x0040: D2 B8 20 20 20 20 20 43 6F 6E 6E 65 63 74 65 64  ..     Connected
0x0050: 20 74 6F 20 31 37 32 2E 32 31 2E 30 2E 32 0D 0A   to 172.21.0.2..
0x0060: 20 20 20 20 20 4C 6F 67 67 65 64 20 69 6E 20 61       Logged in a
0x0070: 73 20 73 75 72 74 72 0D 0A 20 20 20 20 20 54 59  s surtr..     TY
0x0080: 50 45 3A 20 42 49 4E 41 52 59 0D 0A 20 20 20 20  PE: BINARY..
0x0090: 20 53 65 73 73 69 6F 6E 20 74 69 6D 65 6F 75 74   Session timeout
0x00A0: 20 69 6E 20 73 65 63 6F 6E 64 73 20 69 73 20 31   in seconds is 1
0x00B0: 32 30 0D 0A 20 20 20 20 20 43 6F 6E 74 72 6F 6C  20..     Control
0x00C0: 20 63 6F 6E 6E 65 63 74 69 6F 6E 20 69 73 20 70   connection is p
0x00D0: 6C 61 69 6E 20 74 65 78 74 0D 0A 20 20 20 20 20  lain text..
0x00E0: 44 61 74 61 20 63 6F 6E 6E 65 63 74 69 6F 6E 73  Data connections
0x00F0: 20 77 69 6C 6C 20 62 65 20 70 6C 61 69 6E 20 74   will be plain t
0x0100: 65 78 74 0D 0A 20 20 20 20 20 4D 61 78 69 6D 75  ext..     Maximu
0x0110: 6D 20 66 69 6C 65 20 73 69 7A 65 20 69 73 20 31  m file size is 1
0x0120: 30 30 30 30 30 30 30 20 62 79 74 65 73 0D 0A 20  0000000 bytes..
0x0130: 20 20 20 20 54 68 65 20 54 72 75 74 68 20 69 73      The Truth is
0x0140: 20 69 6E 20 74 68 65 20 64 65 74 61 69 6C 73 20   in the details
0x0150: 2D 20 66 58 52 31 54 31 39 30 61 47 64 70 55 6C  - fXR1T190aGdpUl
0x0160: 39 30 59 57 68 55 58 32 52 6C 56 46 4A 50 54 6C  90YWhUX2RlVFJPTl
0x0170: 4E 66 64 57 39 5A 65 30 46 44 52 45 59 3D 20 2D  NfdW9Ze0FDREY= -
0x0180: 20 59 6F 75 20 70 72 6F 62 61 62 6C 79 20 77 61   You probably wa
0x0190: 6E 6E 61 20 6C 6F 6F 6B 20 61 74 20 74 68 69 73  nna look at this
0x01A0: 2E 0D 0A 32 31 31 20 45 6E 64 20 6F 66 20 73 74  ...211 End of st
0x01B0: 61 74 75 73 0D 0A                                atus..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Decoding the base64 and reversing the string gives the flag:

$ echo "fXR1T190aGdpUl90YWhUX2RlVFJPTlNfdW9Ze0FDREY=" | base64 -d | rev
FDCA{You_SNORTed_That_Right_Out}