// k3ng
  • 👋
  • 2025
    • Cyber Jawara National 2024
      • Whale
      • Grayscale
      • Log4Shell
  • 2024
    • HTB University CTF 2024: Binary Badlands
      • Apolo
      • Freedom
      • Frontier Exposed
      • Wanter Alive
      • Armaxis
    • TSA Cyber Champion 2024
      • 101 - Forensics
      • eavesdropped
      • 101 - Web Exploitation
    • Cyber Jawara International 2024
      • prepare the tools
      • Sleeper
      • P2PWannabe
    • CTF Hology 7.0
      • give me
      • Books Gallery
    • TCP1P CTF 2024
      • doxxed
      • Lost Progress
    • Gemastik 2024 Finals
      • kode-viewer
Powered by GitBook
On this page
  • Challenge Description
  • Flag
  • Analysis
  • Solution
  1. 2024
  2. TSA Cyber Champion 2024

101 - Forensics

Last updated 6 months ago

Challenge Description

Forensics 101

Author: Fedra

Flag

TSA{Forensic_101_0d1b25a70976d70f}


Analysis

We are given a packet capture file which contains many ICMP packets. From one of the ICMP packets, we can see that the data transmitted contains the first 16 bytes of a PNG header that is repeated.

Solution

From the analysis, we need to create a script to get the first 16 bytes of the data from every ICMP packets and parse all the PNG files from that. The resulting PNG files will form a flag.

from scapy.all import *

packets = rdpcap("./101.pcap")

out = b''

for packet in packets:
    if packet.haslayer(ICMP) and packet.haslayer(Raw) and packet.getlayer(IP).src == "192.168.56.1":
        out += packet.getlayer(Raw).load[16:32]

starts = [m.start() for m in re.finditer(b'\x89\x50\x4e\x47\x0d\x0a\x1a\x0a', out)]
ends = [m.end() for m in re.finditer(b'\x49\x45\x4e\x44\xae\x42\x60\x82', out)]

for i in range(len(starts)):
    file = out[starts[i]:ends[i]]
    with open(f"dumps/{i}.png", "wb") as f:
        f.write(file)
Data of one of the ICMP packet
PNG files from the script