[Forensics] CSAW - Missed Registration


Missed Registration

It’s registration day! These forms just seem longer and longer…

UPDATE 10:44 Eastern: New pcap that should be a bit easier to work with.

UPDATE 2:58 Eastern: We’re regenerating due to flag leaks, submissions disabled until then. Please be patient.

Update 3:31 Eastern: Updated pcap with new flag after leak. Please re-run your solutions on the file!

https://ctf.csaw.io/files/bd2d3bcfdf09f06728d81d1a0cc0e4ff/cap.pcap

We have a pcap file, at first we saw alot of HTTP POST requests:

A lot of the form fields were filled with crap information in latin, at first we thought the parameter n was encrypted or some other kind of binary we extracted but we found nothing. After awhile instead of looking at HTTP form URL encoded tab from writeshark we started looking at TCP segment data and we found a new post param, a “x” parameter that only showed up in some of the requests:

The very first HTTP POST requests has this value:

1
&x=424d923500000000000036040000280000004301000027000000010008000000000000000000c40e0000c40e00000001000000010000000001ff0c0e10ff0d1012ff131719ff161d21ff1b2226ff1c2b33ff1f313bff24292bff252c31ff2a3338ff33393bff243742ff283741ff

the beginning of this value “424d” indicated us that this might be an bmp image file! so we extracted all x’s values in one line bash command!:

1
tshark -r cap.pcap -Y "http && tcp.payload contains \"&x=\"" -Tfields -e tcp.segment_data | tr -d ':|\n' | xxd -r -p | tr -d 'x=' | xxd -r -p > img.bmp