Points: 100
Categories: forensic, network

Task description

“Mysterious traffic”, or in other words, we have a dump of network traffic and we’re asked to analyze what it says. Provided is a pcapng file with the dump of the traffic.

tl;dr

The solution was to extract a GIF image from SYN packets’ data and then split it into individual frames.

Solution

This wasn’t a particularly hard task if one knows TCP. Short analysis of the dump in Wireshark showed that the file contains only SYN and NACK packets, as one side constantly tries to connect to a closed port.

Quick look at a sample of SYN packets showed that each SYN packet had data associated with it (used to be rare, nowadays more popular method of lowering latency to first byte). Some quick shell play with tshark gave us the data:

As we can easily recognize, the first half of the data field is always 47 4F 41 54 01. However, better to verify that:

So, we have found a common “header”, which coincidentally matches the theme of the CTF, saying GOAT\x01. It’s time to extract usable data out:

Some people might have already noticed that the first packet starts with what essentially is the beginning of a GIF header. The extracted image is the infamous ROFLcopter:
roflcopter

Still, no flag, but there definitely is something blinking in the image.

The next obvious step was to check the data hidden in the short-lived frame. Let’s split the gif file into frames:

out00016
Among the resulting outXXXX.pgm files, in the 17th frame, we find the flag: TUCTF{xxxxxxx CENSORED xxxxxxxxxxxx}

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Share This