Tuesday, 8 September 2015

[Write-up] MMA CTF 2015 - Splitted 30

01:53 Posted by Matnacian , , , 2 comments
This is an "El Clásico" challenge of forensic, but I found it a little bit difficult to solve. Poor me! T.T

We got a pcap file here, but like a habit, when waiting Wireshark open the splitted.pcap, I foremost it:

Really, easy???
I went to /splitted/output/zip and open the zip file, but it was corrupted.
OK, back to Wireshark.

Sorting packets by Length, you can see some zip files like this:

Export them to files: File > Export Objects > HTTP:
Click Save All. Now we have 1, 2, ... 8 flag.zip files.
We can guess that the zip file contain flag was splitted into 8 files, and we must join these files to capture the flag. Let's try:
$ cat flag* > final.zip
Extact finalflag.zip file! Waiting... Still corrupted.

I used an hex editor to inspect these zip files, and relized they weren't in order.
Example, the flag(1).zip has the header PK of zip file >> It must be the first file when joining.
So the biggest mission in this challenge is arrange 8 splitted files in the right order to join them.
How can we do this?

Back to Wireshark again. Randomly, I chose packet No. 86 and "Follow TCP Stream".
Aha, "Range: bytes=1876-2344"

Can you guess that what should we do know?
Right! We have this table:

Now, we rename flag*.zip files to final0*.zip files base on the order above.
Example flag(1).zip -> final1.zip, flag(7).zip -> final5.zip.
Join these files with command: $ cat final* > final.zip.
Extract it. Bingo. We get the flag.psd. Open it with Photoshop or GIMP:

Blank? Don't worry. On the right panel, you will see 2 layers. Hide/Delete the 背景 layer.
Boom!!! Flag is:

Thanks for reading! ^^ And happy CTF! :D
--- matnacian ---
--- ctf for beginners ---