CSAW CTF Forensics 150
Challenge
Missed Registration
It's registration day! These forms just seem longer and longer... pcap file is here
Solutions
Almost of all packets are HTTP POST packets. They looks like sending data normally, but some packet include x parameter. Their Contents-length on HTTP header and real data length are different. It is suspicious.
Then, I pick up all x parameter data. Then we can find that the head of data is "0x42 0x4d". The magic number "0x42 0x4d" means that this file is BMP file.
So, we'll write solving script.
#!/usr/bin/env python from scapy.all import * import binascii packets = rdpcap('cap.pcap') f = open('flag.bin','wb') for packet in packets: params = "" if Raw in packet: params = packet[Raw].load if params.find("&x=") > 0: xLocation = params.rfind("&x=") word = params[xLocation+3:] f.write(binascii.unhexlify(word)) f.close()
sweets
FLAG{3Am_LaunDR3Y_FLaG_L34kz!}