Home > CTF, Forensics > Codegate 2014 Quals Forensics 150 WeirdShark writeup

Codegate 2014 Quals Forensics 150 WeirdShark writeup

Surprisingly very few challenges this time. And sadly there was only one question from forensics. First it was solved by my team mate and later I solved it. Unfortunately, he went offline for the whole day. I was not able to clear my doubts. Well it ended up as a good learning part. We were asked to find the flag from a given file. Click here to download. First I checked the file with trid and then with file command.

h1dd3ntru7h@bi0s:~/Desktop/ctf/codegate$ file weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7
weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7: pcap-ng capture file – version 1.0

h1dd3ntru7h@bi0s:~/Desktop/ctf/codegate$ trid weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7

TrID/32 – File Identifier v2.11 – (C) 2003-11 By M.Pontello
Definitions found:  5226

Collecting data from file: weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7
 79.9% (.PCAPNG) Wireshark PCAP Next Generation Dump File Format (Little Endian) (4004/2)
 20.0% (.PCX) ZSoft PCX bitmap (1002/3)

Both says the file is a PCAP Next generation (pcap-ng) file type. It is completely over-written to overcome some of the limitations of the old libcap library. Some of the features in pcap-ng are, we can store the packets in a single file which are captured from multiple interfaces , provisions for metadata such as information about the interfaces, OS information, hardware, sniffer application program etc. Unfortunately, there are some compatible issues with the same. One of the issue was given to us as a challenge to solve.

I tried opening the file in wireshark, but it refused to open by stating an error. I came to know that we can convert pcapng files to the normal pcap files, when I searched for the error in the internet. As per the information given in the website, I tried converting the given pcapng file which lead us to an actual issue, which is meant to be solved. You can even try this online

h1dd3ntru7h@bi0s:~/Desktop/ctf/codegate$ editcap -F libpcap weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7 -T ether file.pcap
editcap: An error occurred while reading “weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7”: File contains a record that’s not valid.
(pcapng_read_packet_block: total block length 96 of EPB is too small for 4270407998 bytes of packet data)

Little bit of google’ng the error, gave me some links which helped me to understand the source code and the why the error has happened. Link 1, Link 2. Later, I came to know that there is a tool called pcapfix which can resolve the error.

h1dd3ntru7h@bi0s:~/Desktop/ctf/codegate$ pcapfix weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7
pcapfix 0.3 (c) 2012 Robert Krause

[*] Reading from file: weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7
[*] Writing to file: fixed_weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7
[*] Analyzing global header…
[-] The global pcap header seems to be missing ==> CORRECTED!
[*] Analyzing packets…
[-] Corrupted packet found ==> TRYING TO RECOVER

Your pcap file has been successfully repaired.
Wrote 97 packets to file fixed_weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7.

Bus error (core dumped)

Again an error appeared, when I attempted to open converted file in wireshark and the error was (pcap: File has 4294967295-byte packet, bigger than maximum of 65535).  I converted to a pcap file, as per a command mentioned in this website. Going good! finally, I was able to transform it with out any errors \m/. Now it is time to analyse the traffic. There were few media files ( 2 JPG images, 1 PDF file and 2 html documents) transferred between 2 host IP’s and And there was a PDF file transferred in the packet 797. I did TCP stream on the packet and found the header of a PDF file. 


I saved the file and when I opened it I saw the flag to be : FLAG = FORENSICS_WITH_HAXORS. 😉 Wow!

  1. February 24, 2014 at 5:12 pm

    Same method hahaha

    • February 25, 2014 at 4:04 am

      Hey! seems to be like, someone (below your comment) have did the same challenge entirely, in a very different approach 😉

  2. EccE
    February 24, 2014 at 6:05 pm

    Thanks for the write up !

    I have solved this challenge too but i have done it differently though it’s always nice to see that other methods were doing the job as well.

    I’ve stumbled upon the errors you mention in your text. Just like you, i also tried ‘fixpcap’ the pcap-ng file but with no success…(Didn’t think / know at that time converting the file via a pcapng.com could do the trick !)

    I then have chosen to use Foremost to see if i’d get any data out of this ‘weird.pcap’ file.
    It appears that i had 2 files output : A .bmp and a .pdf.

    I used a pdf analysis tool to get data out of the PDF and did got the flag as well 🙂

    • February 25, 2014 at 4:02 am

      That’s interesting. First I randomly tried many ways to fix the error in pcap-ng file. I got fed up and I ran the foremost tool on the challenge file. Even I got a bmp file and a PDF file. When I opened the PDF file, there was only a tree diagram ( no flags or strings ). Then I thought this wasn’t the right way to approach the challenge. I tried searching many times and finally I got the tool and got it fixed. But still your solution seems to be eligant and very distinct, please tell me how did you mange to get the flag from PDF?

  1. October 13, 2014 at 8:03 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner


behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!


Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: