{"id":13032,"date":"2016-06-23T20:58:47","date_gmt":"2016-06-23T18:58:47","guid":{"rendered":"http:\/\/www.codilime.com\/?p=13032"},"modified":"2016-12-01T23:20:11","modified_gmt":"2016-12-01T22:20:11","slug":"tuctf16-the-nack","status":"publish","type":"post","link":"https:\/\/codisec.com\/tuctf16-the-nack\/","title":{"rendered":"The Nack"},"content":{"rendered":"

Points: 100
\nCategories: forensic, network<\/p>\n

Task description<\/h2>\n

\u201cMysterious traffic\u201d, or in other words, we have a dump of network traffic and we\u2019re asked to analyze what it says. Provided is a pcapng<\/a> file with the dump of the traffic.<\/p>\n

tl;dr<\/h2>\n

The solution was to extract a GIF image from SYN packets\u2019 data and then split it into individual frames.<\/p>\n

Solution<\/h2>\n

This wasn\u2019t a particularly hard task if one knows TCP. Short analysis of the dump in Wireshark showed that the file contains only SYN and NACK packets, as one side constantly tries to connect to a closed port.<\/p>\n

Quick look at a sample of SYN packets showed that each SYN packet had data associated with it (used to be rare, nowadays more popular method of lowering latency to first byte). Some quick shell play with tshark gave us the data:<\/p>\n

$tshark -r ce6e1a612a1da91648306ace0cf7151e6531abc9.pcapng -Y 'tcp.connection.syn' -T fields -e data\r\n474f41540147494638\r\n474f41540139614e02\r\n474f415401e100a100\r\n474f41540100ffffff\r\n474f415401000000ff\r\n474f415401ffffffff\r\n474f415401ff21ff0b\r\n474f4154014e455453\r\n474f41540143415045\r\n474f415401322e3003\r\n...<\/pre>\n
As we can easily recognize, the first half of the data field is always 47 4F 41 54 01<\/code>. However, better to verify that:<\/p>\n
$tshark -r ce6e1a612a1da91648306ace0cf7151e6531abc9.pcapng -Y 'tcp.connection.syn' -T fields -e data | cut -b -10 | uniq\r\n474f415401<\/pre>\n
So, we have found a common \u201cheader\u201d, which coincidentally matches the theme of the CTF, saying GOAT\\x01<\/code>. It\u2019s time to extract usable data out:<\/p>\n
$tshark -r ce6e1a612a1da91648306ace0cf7151e6531abc9.pcapng -Y 'tcp.connection.syn' -T fields -e data | cut -b 11- | tr -d '\\n' | xxd -r -p > temp<\/pre>\n
Some people might have already noticed that the first packet starts with what essentially is the beginning of a GIF header. The extracted image is the infamous ROFLcopter:
\n\"roflcopter\"<\/p>\n
Still, no flag, but there definitely is something blinking in the image.<\/p>\n
The next obvious step was to check the data hidden in the short-lived frame. Let\u2019s split the gif file into frames:<\/p>\n
convert -coalesce temp out%05d.pgm<\/pre>\n
\"out00016\"
\nAmong the resulting outXXXX.pgm<\/code> files, in the 17th frame, we find the flag: TUCTF{xxxxxxx CENSORED xxxxxxxxxxxx}<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
Points: 100 Categories: forensic, network Task description \u201cMysterious traffic\u201d, or in other words, we have a dump of network traffic and we\u2019re asked to analyze what it says. Provided is a pcapng file with the dump of the traffic. tl;dr…<\/span> <\/p>\n
Read more ›<\/div>\n
<\/a><\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[4,15],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n