B-Sides Vancouver CTF 2015 - garbage file
Marzo 18, 2015
Description
Your buddy Joey left a USB key with some data he needs your help with. He pulled it from the firewall logs at a 'secure file format'-as-a-Service provider, so he's pretty sure it might be protected or obfuscated somehow.
Solution
A PCAPNG file is provided, there we can see some UDP packets where the data is located:
We need to get all the data sent over UDP, we can do it by using tshark:
00026163636f756e742d646174612e62696e006f6374657400
00040000
0003000100004edf00002e77789c0173018cfe4435d00b168b...
00040001
00030002803434680f53d41a3d4068007a801a1ea0341a1ea7...
00040002
00030003142dfea2fb389f6ded40c310f8dcc905034127d07f...
Each message is composed by two short integers (first one to indicate which is sending the message + second one an incremental ID), and the data itself. I used this script on PHP to separate data from metadata and create bzip files (based on bzip headers found on the dump):
$file = file('data.txt');
$out = '';
for ($i = 2; $i < count($file); $i += 2) { // ignore first and second line, then each two
$out .= hex2bin(substr(trim($file[$i]), 8)); // strip metadata
}
$i = 0;
$bzs = explode('BZh', $out);
foreach ($bzs as $bz) {
file_put_contents('bzips/' . $i++, 'BZh' . $bz);
}
?>
Twenty two files are created, it is time to decompress them using python:
import sys
for i in xrange(0,22):
try:
file = bz2.BZ2File(str(i), "r")
print file.read()
except:
sys.stderr.write('file '+ str(i) + ' invalid\n')
There are only three "corrupted" files:
file 0 invalid file 8 invalid file 21 invalid
First file does not contain a bzip header, so it was skipped. Second file is the heaviest (20.8KB) and it is possible the file we are looking for. We are making a guess now, the file seems to have a Zlib header:
It is decompressed properly giving us a base64 encoded file:
iVBgMA0KNH0AAC56SUhqJQAALO0AAC4TCAIudwCpR3DoAC53AXN8MEIAgLkc6S53AAleP1lzLncL Ey53CxMvd5qcNncAQC4+REF6DwHt83C8BWsCMPB7xwsIBH9SBQojRUGjPbH3OPolxPZlTYIDJj8T Y3saExvhmNgfMRMLBOHERp5W2MAofwgoM9MqKqxXWL7RyXlvwZnM7FMM997V/ez88Ji+2ffuM2fg ... (cropped) a0ANOm8oMH4XoMBu9tWlbty/38TVNdQQJ2Cg7jeBgSx0BQYkA6fAjrm700S/OVBO18BAr/YCAyuh KAUoAr5GFRFAa463QIGvdQMFKH10p+7Xzrv9Hcg5fhegwG72gQItctYoK3F1vmhMZkBF18BAr/YC AytxCnSJt6DOlaRqyBcnYKDuN4GBLHQF1gZyBnWQMTtmbhygwG72gQItcgYKWtDA/ymC2qJiimhr 73cAAC4+RU5q2UJgrA==
Final result is a PNG file encrypted with XOR using "00 00 2E 77" as key:
Flag
key{03087-08351-27H}
Archivado en: Miscelaneo, Retos informáticos, Seguridad |