diff --git a/forensics/trivial_flag_transfer_protocol/flag.txt b/forensics/trivial_flag_transfer_protocol/flag.txt new file mode 100644 index 0000000..a3dfec2 --- /dev/null +++ b/forensics/trivial_flag_transfer_protocol/flag.txt @@ -0,0 +1 @@ +picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919} diff --git a/forensics/trivial_flag_transfer_protocol/solve.sh b/forensics/trivial_flag_transfer_protocol/solve.sh new file mode 100755 index 0000000..78447d5 --- /dev/null +++ b/forensics/trivial_flag_transfer_protocol/solve.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p tshark xxd steghide + +# NOTE: tftp.pcanpng is big, has been omitted + +mapfile -t FILE_REQS < <( \ + tshark -r tftp.pcapng \ + -Y "(ip.src==10.10.10.11 && tftp.opcode==1) || (ip.src==10.10.10.11 && tftp.opcode==2)" \ + -T fields \ + -e tftp.source_file \ + -e tftp.destination_file \ + | sed 's/\t//' \ + | uniq \ +) + +mapfile -t STREAMS < <( \ + tshark -r tftp.pcapng \ + -Y "(ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.dst==10.10.10.11 && tftp.opcode==4)" \ + -T fields -e udp.stream \ + | sort -nu \ +) + +mkdir -p out + +for i in "${!FILE_REQS[@]}"; do + FILENAME="${FILE_REQS["$i"]}" + UDP_STREAM="${STREAMS["$i"]}" + + echo "$FILENAME -> $UDP_STREAM" + + tshark -r tftp.pcapng \ + -Y "udp.stream==$UDP_STREAM && ((ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.src==10.10.10.11 && data.len!=4))" \ + -T fields -e data.data | + tr -d '\n' | + xxd -r -p > "out/$FILENAME" +done + +# NOTE: the deb file contained steghide, assuming the plan is the passphrase for one of the pics + +cat out/instructions.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' +cat out/plan | tr 'A-Za-z' 'N-ZA-Mn-za-m' + +STEGHIDE_PW="DUEDILIGENCE" + +steghide extract --stegofile out/picture1.bmp --passphrase "$STEGHIDE_PW" ||: +steghide extract --stegofile out/picture2.bmp --passphrase "$STEGHIDE_PW" ||: +steghide extract --stegofile out/picture3.bmp --passphrase "$STEGHIDE_PW" ||: +