FH01 - 500pts
Last updated
Was this helpful?
Last updated
Was this helpful?
Download the file and find a way to get the flag.
Challenge Files:
Looking through the packet capture file we notice there appear to be files sent on udp.stream == 2
. I tried extracting these files by saving what 192.168.47.129
sends in udp.stream == 2
as raw bytes and then using binwalk
, but binwalk
only extracted corrupted versions of the files. I tried uses a hex editor to manually save the files from the raw bytes, but this failed for the same reason: some files are "corrupted" because they are missing bytes or have extra bytes.
The protocol used for these files is unique as far as I know. 192.168.47.129
sends data to 192.168.47.128
in 626 byte chunks. However, this data is not pure data, which causes the aforementioned problems.
The protocol works like this:
192.168.47.128
: Requests the file get <filename>
192.168.47.129
: Sends the file in segments <segment id (8 bytes)> <op code (8 bytes)> <data>
192.168.47.128
: Acknowledges that segment has been received by sending the segment id back <segment id (8 bytes)>
Repeat steps 2 and 3 until the entire file is sent.
We can extract the data is a more usable format usign tshark
: tshark -r fh01.pcapng -T fields -e data --disable-protocol sigcomp --disable-protocol wg --disable-protocol pathport --disable-protocol dcerpc -Y '(ip.src == 192.168.47.129 && frame.len == 626) || (ip.src == 192.168.47.128 && udp)' > udp_stream_2.dmp
We write a Python to parse through the data and export the files. The loops though the lines of udp_stream_2.dmp
. If the line starts with the word get
then a new file is being transferred and the program starts storing each segment with length 4129, which is the hexadecimal equivalent of the 626 byte chunks from wireshark.
The flag is in the last file 5.zip
. Extract 5.zip
and open 5.jpg
to get the flag.
C4tch1ng_H0n3y_p0Ts_w1TH_a_Sh4rk!