- Name : CSAW CTF Qualification Round 2016
- Website : https://ctf.csaw.io/
- Type : Online
- Format : Jeopardy
- CTF Time : link
Is kill can fix? Sign the autopsy file?
- If you look at the presumed PcapNg file you can see it is certainly broken because you can't open it with Whireshark and the
filecommand shows it as raw data.
- It's certainly more than just a wrong header signature so we'll use the pcapcfix tool to fix this.
- As there is no more header we have to use
--pcapngoption because default behaviour of the tool is to repair as a simple pcap file.
- Now look at the file, it seems better!
- Now open the Pcap-Ng file with wireshark.
- This is mainly a SFTP exchange so it may be interesting to look at downloaded filess with this filter: Filter
ftp.request.command == STOR.
- Filter show us 7 downloaded files at frame 53, 130, 693, 760, 813, 2325 and 2480. 5 jpg files (image) and 2 mp4 files (video).
- So let's extract images first. For that we need the jpg header file signature. It can be found here on Wikipedia.
- The one interesting for us is JFIF.
CTRL + F, select Hex value as Display filter.
- Note that it's not necessary as the begining of the stream is not far after the STOR request command.
- We won't need to extract mp4 file, flag is in one of the images.
- Now there is two way to do it: the smart way and the dumb way.
- Dumb way: see the flag in the ASCII representation of the frame 696 (girls.jpg). Ok it works, but if the flag have be not so badly hidden you won't have seen it, for example if it was display on the image.
- Smart way: Let's extract images.
- Now that we know where are the files stream, we can extract files as mention:
- Right click on the first frame of the stream.
- Click on Follow TCP Stream.
- Select Raw representation.
- Save it on your disk.
- Do the same with next images.
- We can note that all images are seeable execpt girls.jpg. So what? A broken file again? Not really, if you want to see the file header in order to fix it, you discover that the flag was just injected in the file header.
- Let's see the raw hex dump of the image:
Thanks to Shankar Raman.