ShinobiMind

basketball player and hacker will keep be childish.

CSAW CTF Forensics 150

Challenge

Missed Registration
It's registration day! These forms just seem longer and longer... pcap file is here

Solutions

Almost of all packets are HTTP POST packets. They looks like sending data normally, but some packet include x parameter. Their Contents-length on HTTP header and real data length are different. It is suspicious.
Then, I pick up all x parameter data. Then we can find that the head of data is "0x42 0x4d". The magic number "0x42 0x4d" means that this file is BMP file.
So, we'll write solving script.

#!/usr/bin/env python

from scapy.all import *
import binascii

packets = rdpcap('cap.pcap')
f = open('flag.bin','wb')

for packet in packets:
    params = ""
    if Raw in packet:
        params = packet[Raw].load
        if params.find("&x=") > 0:
            xLocation = params.rfind("&x=")
            word = params[xLocation+3:]
            f.write(binascii.unhexlify(word))
f.close()

sweets

FLAG{3Am_LaunDR3Y_FLaG_L34kz!}