Fireshell CTF Writeup


Idiot_Connection

We are Provided With A Packet Capture File Full Of ICMP Packets,But Actually They Contains HTTP and Other Packets Too..! What They Have Done Is They Added ICMP Packet To Every Packet. So We Need To Slice That Portion To Get Original Pcap File.

So Using “editcap” A Command Line Tool For Editing Pcap Files

$ editcap -C 14:33 -F pcap "chall.pcap" "edited.pcap"

-C Chopping (Slicing And Removing That Part)

-F File Type

Now Openup the edited capture file, now you can see actual packets.Concentrate On HTTP Packets and Export the Items That Are Tranferred.Export HTTP packets file > export objects > HTTP.

You’ll find a “msg file”(ZIP) With Wrong File Signature F#(46 23) So Replace It With PK(50 4B).

Try To Extract The Zip.Actually It’s A Password Protected Zip.

Try Dictionary Attack On Zip Using Rockyou.txt

$ fcrackzip -v -D -u -p rockyou.txt msg.zip
found file 'photo.png', (size cp/uc 924401/924244, flags 9, chk b135)
checking pw 055469215                               

PASSWORD FOUND!!!!: pw ==   b1tch3s

Password=" b1tch3s " Now The Password For The Zip Is “b1tch3s”(2 Spaces in the begining nd in the end)

Extract The Zip You’ll Get An Image photo.png.

Try Hexdump…….

$ hexdump -C ext.img
         07 7c f2 41 dd 6b 05 d6  6b 00 00 00 00 49 45 4e  |.|.A.k..k....IEN|
000e1a20  44 ae 42 60 82 41 00 6c  00 6d 00 6f 00 73 00 74  |D.B`.A.l.m.o.s.t|
000e1a30  00 20 00 74 00 68 00 65  00 72 00 65 00 2c 00 52  |. .t.h.e.r.e.,.R|
000e1a40  00 79 00 61 00 6e 00 20  00 47 00 69 00 62 00 73  |.y.a.n. .G.i.b.s|
000e1a50  00 6f 00 6e                                       |.o.n|

Hexdump Of Image Gives U “Almost there Ryan Gibson”

After Googling This You’ll Find The git Link of Ryan Gibson on LSB (Link:https://github.com/ragibson/Steganography)

Now Using LSB Extract Image.

 $  python3 LSBSteg.py -r -i photo.png -o ext.png
Reading files...                   Done in 0.42 s
Recovering 95404 bytes...          Done in 0.08 s
Writing to output file...          Done in 0.00 s

Now We’ve an Image With No Flag.

Finally Tried To Enlarge The Image. Change Length(24th Byte) in PNG Chunk i.e, 0F to 3F.

As The Length Changes, then the corresponding CRC data changes.

So if u try to open the image,you’ll get problem with CRC.

$ pngcheck ext.png
ext.png  CRC error in chunk IHDR (computed pngcheck ext.png
ext.png  CRC error in chunk IHDR (computed 1d71bc38, expected 190bbb95)
ERROR: ext.png

Replace CRC(From 30th byte to 33rd byte) 19 0B BB 95 with 1D 71 BC 38.

WOW…! Here We’ve The Flag in The End Of The Image.

F#{1cMp_tUnN3l_4Nd_ST3go_Rul35_!!!}

Leave a comment

Create a free website or blog at WordPress.com.

Up ↑

Design a site like this with WordPress.com
Get started