forensics/trivial_flag_transfer_protocol
This commit is contained in:
@@ -0,0 +1 @@
|
||||
picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}
|
||||
+48
@@ -0,0 +1,48 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p tshark xxd steghide
|
||||
|
||||
# NOTE: tftp.pcanpng is big, has been omitted
|
||||
|
||||
mapfile -t FILE_REQS < <( \
|
||||
tshark -r tftp.pcapng \
|
||||
-Y "(ip.src==10.10.10.11 && tftp.opcode==1) || (ip.src==10.10.10.11 && tftp.opcode==2)" \
|
||||
-T fields \
|
||||
-e tftp.source_file \
|
||||
-e tftp.destination_file \
|
||||
| sed 's/\t//' \
|
||||
| uniq \
|
||||
)
|
||||
|
||||
mapfile -t STREAMS < <( \
|
||||
tshark -r tftp.pcapng \
|
||||
-Y "(ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.dst==10.10.10.11 && tftp.opcode==4)" \
|
||||
-T fields -e udp.stream \
|
||||
| sort -nu \
|
||||
)
|
||||
|
||||
mkdir -p out
|
||||
|
||||
for i in "${!FILE_REQS[@]}"; do
|
||||
FILENAME="${FILE_REQS["$i"]}"
|
||||
UDP_STREAM="${STREAMS["$i"]}"
|
||||
|
||||
echo "$FILENAME -> $UDP_STREAM"
|
||||
|
||||
tshark -r tftp.pcapng \
|
||||
-Y "udp.stream==$UDP_STREAM && ((ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.src==10.10.10.11 && data.len!=4))" \
|
||||
-T fields -e data.data |
|
||||
tr -d '\n' |
|
||||
xxd -r -p > "out/$FILENAME"
|
||||
done
|
||||
|
||||
# NOTE: the deb file contained steghide, assuming the plan is the passphrase for one of the pics
|
||||
|
||||
cat out/instructions.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
|
||||
cat out/plan | tr 'A-Za-z' 'N-ZA-Mn-za-m'
|
||||
|
||||
STEGHIDE_PW="DUEDILIGENCE"
|
||||
|
||||
steghide extract --stegofile out/picture1.bmp --passphrase "$STEGHIDE_PW" ||:
|
||||
steghide extract --stegofile out/picture2.bmp --passphrase "$STEGHIDE_PW" ||:
|
||||
steghide extract --stegofile out/picture3.bmp --passphrase "$STEGHIDE_PW" ||:
|
||||
|
||||
Reference in New Issue
Block a user