<-- home

HackFest Final 2016 / forensic 100

hi this is my write up about forensic 100 task in the final hackfest ctf in tunisia

so we have a for100.pcap file

first we open it with wireshark and check what’s going on there

there is many request and nothing good for us

but before the ctf end we noticed that there is a not valid domain there “harmlessdomain.net”

so we decided to extract it all using a simple truck in wireshark

dns.flags == 0x0100 and dns.qry.name matches "[0-9]{1}.[0-9a-f]{4}.harmlessdomain.net"

and then File” -> “Export Specified Packets” we get another pcap file with just what we need

then we extract the hex caracteres

strings for100_filtred.pcap | grep -P "^[0-9a-f]{4}$" | tr -d "\n" > res

we get this :

8b1f00087dac57170300d0ed0a3131028414d4e1629e204fc6c91cbc64279d35491082de7a7a2d9591b416adfe1199af9a627a61b6397ba2aabd8cd9127dbc39c5d23f603173e30668c64483ef11758c7bde83316edddbd235dc61b75330df3eab736f5feb5894ff9ad6ee4aa4b74d355d259d5abb4f8f5f00020000000000000000000000007aac9d009a45009a00280000

so we can see that its a broken Signature header of gzip file 1F 8B 08 00

and we just swap them but we still get a broken file and finaly we just swap two by two to get :

1f8b0800ac7d17570003edd0310a02311484e1d49e624f20c9c6bc1c2764359d1049de827a7a952db491ad1611feaf99629a617a39b6a27bbdaad98c7d1239bcd2c5603f733106e3c668834411ef8c75de7b3183dd6ed2dbdc35b76130533edf73ab5f6f58ebff94d69a4aeeb7a4354d255d5a9d4fbb5f8f0200000000000000000000000000ac7a009d459a9a0028000000

and just a simple python script

#!/usr/bin/python
file_hex = open('res','r').read()
open('flag.tar','w').write(file_hex.decode('hex')) 

then

tar -xvf flag.tar

and pwn :D we get a secret.txt file which we have there our flag :D

flag = " too_easy_to_be_proud"

thanks :)