Files
hacc/forensics/trivial_flag_transfer_protocol/solve.sh
T

49 lines
1.4 KiB
Bash
Executable File

#!/usr/bin/env nix-shell
#!nix-shell -i bash -p tshark xxd steghide
# NOTE: tftp.pcanpng is big, has been omitted
mapfile -t FILE_REQS < <( \
tshark -r tftp.pcapng \
-Y "(ip.src==10.10.10.11 && tftp.opcode==1) || (ip.src==10.10.10.11 && tftp.opcode==2)" \
-T fields \
-e tftp.source_file \
-e tftp.destination_file \
| sed 's/\t//' \
| uniq \
)
mapfile -t STREAMS < <( \
tshark -r tftp.pcapng \
-Y "(ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.dst==10.10.10.11 && tftp.opcode==4)" \
-T fields -e udp.stream \
| sort -nu \
)
mkdir -p out
for i in "${!FILE_REQS[@]}"; do
FILENAME="${FILE_REQS["$i"]}"
UDP_STREAM="${STREAMS["$i"]}"
echo "$FILENAME -> $UDP_STREAM"
tshark -r tftp.pcapng \
-Y "udp.stream==$UDP_STREAM && ((ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.src==10.10.10.11 && data.len!=4))" \
-T fields -e data.data |
tr -d '\n' |
xxd -r -p > "out/$FILENAME"
done
# NOTE: the deb file contained steghide, assuming the plan is the passphrase for one of the pics
cat out/instructions.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
cat out/plan | tr 'A-Za-z' 'N-ZA-Mn-za-m'
STEGHIDE_PW="DUEDILIGENCE"
steghide extract --stegofile out/picture1.bmp --passphrase "$STEGHIDE_PW" ||:
steghide extract --stegofile out/picture2.bmp --passphrase "$STEGHIDE_PW" ||:
steghide extract --stegofile out/picture3.bmp --passphrase "$STEGHIDE_PW" ||: