<-- home

HackFest Final 2016 / forensic 100

hi this is my write up about forensic 100 task in the final hackfest ctf in tunisia

so we have a for100.pcap file

first we open it with wireshark and check what’s going on there

there is many request and nothing good for us

but before the ctf end we noticed that there is a not valid domain there “harmlessdomain.net”

so we decided to extract it all using a simple truck in wireshark

dns.flags == 0x0100 and dns.qry.name matches "[0-9]{1}.[0-9a-f]{4}.harmlessdomain.net"

and then File” -> “Export Specified Packets” we get another pcap file with just what we need

then we extract the hex caracteres

strings for100_filtred.pcap | grep -P "^[0-9a-f]{4}$" | tr -d "\n" > res

we get this :


so we can see that its a broken Signature header of gzip file 1F 8B 08 00

and we just swap them but we still get a broken file and finaly we just swap two by two to get :


and just a simple python script

file_hex = open('res','r').read()


tar -xvf flag.tar

and pwn :D we get a secret.txt file which we have there our flag :D

flag = " too_easy_to_be_proud"

thanks :)