We got a pcap file here, but like a habit, when waiting Wireshark open the splitted.pcap, I foremost it:
Really, easy???
I went to /splitted/output/zip and open the zip file, but it was corrupted.
OK, back to Wireshark.
Sorting packets by Length, you can see some zip files like this:
Click Save All. Now we have 1, 2, ... 8 flag.zip files.
We can guess that the zip file contain flag was splitted into 8 files, and we must join these files to capture the flag. Let's try:
$ cat flag* > final.zip
Extact finalflag.zip file! Waiting... Still corrupted.
I used an hex editor to inspect these zip files, and relized they weren't in order.
Example, the flag(1).zip has the header PK of zip file >> It must be the first file when joining.
So the biggest mission in this challenge is arrange 8 splitted files in the right order to join them.
How can we do this?
Back to Wireshark again. Randomly, I chose packet No. 86 and "Follow TCP Stream".
Aha, "Range: bytes=1876-2344"
Right! We have this table:
Example flag(1).zip -> final1.zip, flag(7).zip -> final5.zip.
Join these files with command: $ cat final* > final.zip.
Extract it. Bingo. We get the flag.psd. Open it with Photoshop or GIMP:
Blank? Don't worry. On the right panel, you will see 2 layers. Hide/Delete the 背景 layer.
Boom!!! Flag is:
--- matnacian ---
--- ctf for beginners ---
Good writeup
ReplyDeleteThanks very much! :D
DeleteYou make my day ^^