# FH01 - 500pts ## Briefing > Download the file and find a way to get the flag. Challenge Files: * [fh01.zip](https://github.com/HHousen/NCS-Competition/tree/e3a1ab990b675bd865fdddd9e5fa5cd7895b3b02/Forensics/FH01/fh01.zip) ## Solution 1. Looking through the packet capture file we notice there appear to be files sent on `udp.stream == 2`. I tried extracting these files by saving what `192.168.47.129` sends in `udp.stream == 2` as raw bytes and then using `binwalk`, but `binwalk` only extracted corrupted versions of the files. I tried uses a hex editor to manually save the files from the raw bytes, but this failed for the same reason: some files are "corrupted" because they are missing bytes or have extra bytes. 2. The protocol used for these files is unique as far as I know. `192.168.47.129` sends data to `192.168.47.128` in 626 byte chunks. However, this data is not pure data, which causes the aforementioned problems. 3. The protocol works like this: 1. `192.168.47.128`: Requests the file `get ` 2. `192.168.47.129`: Sends the file in segments ` ` 3. `192.168.47.128`: Acknowledges that segment has been received by sending the segment id back `` 4. Repeat steps 2 and 3 until the entire file is sent. 4. We can extract the data is a more usable format usign `tshark`: `tshark -r fh01.pcapng -T fields -e data --disable-protocol sigcomp --disable-protocol wg --disable-protocol pathport --disable-protocol dcerpc -Y '(ip.src == 192.168.47.129 && frame.len == 626) || (ip.src == 192.168.47.128 && udp)' > udp_stream_2.dmp` 5. We write a Python [script.py](https://github.com/HHousen/NCS-Competition/tree/e3a1ab990b675bd865fdddd9e5fa5cd7895b3b02/Forensics/FH01/script.py) to parse through the data and export the files. The [script](https://github.com/HHousen/NCS-Competition/tree/e3a1ab990b675bd865fdddd9e5fa5cd7895b3b02/Forensics/FH01/script.py) loops though the lines of `udp_stream_2.dmp`. If the line starts with the word `get` then a new file is being transferred and the program starts storing each segment with length 4129, which is the hexadecimal equivalent of the 626 byte chunks from wireshark. 6. The flag is in the last file `5.zip`. Extract `5.zip` and open `5.jpg` to get the flag. ### Flag `C4tch1ng_H0n3y_p0Ts_w1TH_a_Sh4rk!` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ncs2021.haydenhousen.com/forensics/fh01.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.