Monday, September 22, 2014

CSAW 2014 Forensics 200 - Why not sftp

The title of this challenge was "Why not sftp" and a pcap file was given to be downloaded. Upon opening the pcap in Wireshark you could apply an "ftp" filter to the packets to see any file transfers occurring (also a practical step given the "sftp" hint). Packet 411 shows that a zip file was being retrieved and 432 shows that the transfer was completed. Clear the filter and navigate to the packet where the transfer began, packet 411. The first TCP packet after that contains the beginning of the data transfer. Right click on that packet and follow the TCP stream. The beginning of the TCP stream starts with "PK" which is the file header for a zip file so you know you have the correct data. Several characters after the "PK" is "flag.png" showing that flag.png is contained within the zip file. Click the "Save As" button in the TCP stream and save the raw data as a .zip file. Open the .zip file that you just saved and view the flag.png file within.


-- Nightrider, gregoryFox

No comments:

Post a Comment