Alex CTF USB probing Forensics 3 – 150 writeup


Challenge file: Download.

In fact, this is my first attempt to recover USB traffic from a PCAP file.

The initial 4 packets had the information of the devices involved in the traffic. Using the Product ID and Vendor ID I did some research here to get the device details. It is a flash drive.


In the following paragraphs I will try to explain my approach to solve this problem but if you just want to see the solution please check the last 2 paragraphs.

Wireshark doesn’t have an easy option to view the transferred files using USB protocol, on the contrary it’s easy to extract or view transferred files in TCP (using TCP stream).

I made a simple test to understand how a simple file is transferred via USB protocol. I plugged in a USB device and transferred a text file ( with contents “findme”*1000). Of course, wireshark was listening to the usb interface in the background. To capture the USB traffic you must load the USB kernel module (check here).

$ sudo modprobe usbmon

Most of the packet’s sizes were less than 100 bytes and the transferred text file was found in a packet having a length greater than 1000 bytes, check the URB_BULK out.


So as a conclusion check for the packets having size greater than 1000 bytes with flags URB_BULK out/in. Also I found the file names that were present inside the flash drive.

Let’s repeat the same steps to find what was transferred. Load up the challenge file and try to find the packets having length greater than 1000 bytes. Go down a bit and bingo, you can find the PNG image’s header! 😉


Select the stream and press Ctrl + h or you can use File->Export Packet Bytes. Open the saved file in a image viewer and you see the flag!!



Insomni’hack teaser 2017 Forensics The Great Escape part-1 writeup


From the given PCAP file you must have noticed the traffic from OSCP, HTTP, FTP, SMTP and TLS protocol. TLS has the actual flag, FTP has the private key to decrypt the TLS traffic and SMTP has the clue that will help us in filtering the traffic of interest i.e the right TLS packets. You can ignore the rest.

The first task is to retrieve the private key file from the FTP traffic. Use the filter “ftp-data” in wireshark. Do a TCP stream, you can see the transferred private key. Save that as a text file ( private_key.txt).


We have the private key and all we have to do is to use it and decrypt the TLS packets. Use the filter “ssl” to see the encrypted traffic.


We have 4+ HTTP servers involved and the important task is to find the right one that has the flag. But how? The answer is in the hint transmitted in the email (SMTP traffic). Use the filter “smtp” and read the contents of the email. You can see the sender informing about moving the code from Swiss Secure Cloud to May be the flag was transmitted here!


The two addresses found in the email points to : 443. So this might be the right IP address we are looking for.


To confirm, see if there is any traffic originating from in the PCAP file. You will see the encrypted traffic. Let’s use all the information we gathered from the SMTP protocol ( IP :, PORT : 443) and FTP (the private key) to decrypt the SSL traffic.

Go to Edit->Preferences->Protocols->SSL. In the RSA key list add all the information we got. The protocol should be http as the port no for is 443 ( default for https).


Use the filter “ip.addr== and http”. You can see the deciphered traffic.

I was searching for the flag inside the transferred files ( File -> Export-> HTTP objects) but it was not there, after a while I found it in the HTTP header.


SECCON 2016 Forensics 100 Memory Analysis writeup

Challenge Description:

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!

Hint2: Check the hosts file

The first task was to find out all the svchost process running in the machine, then identify suspicious artifacts in order to verify the rogue svchost process. The pstree plugin from the volatility framework would list all the running process in a machine.


svhost.exe is a container of many service DLLs grouped together. They run under a smaller set of svchost.exe, typically you can see 5 or more running instances of svchost.exe in your machine. Now, let’s find out the rogue svchost process based on some artifacts,

There are totally 7 instances of svchost.exe processes running and they are started by their actual parent process services.exe (672). There are no spelling mistakes in the processes names. Well, let’s see if it has a proper image path. A legitimate svchost.exe should run from the following directory : %SystemRoot%\System32\svchost.exe


As you can see the process PIDs : 848,1320,1088,936, 1036 are run from the system32 folder with legitimate parameters ( <DcomLaunch,LocalService>,<NetworkService,rpcss,netsvcs>) for grouping similar services. Now we can rule out the fake svchost.exe process PID is 1776 ^^ as it was made run in a directory other than System32. Will now find at least one or more artifacts to support our findings. Let’s also look if there is any suspicious network activity,


No idea about process IDs : 3676 and 2776 and it is not important here. The only related information is pid 1080 ( IEXPLORER.EXE). It looks legitimate as the browser is communicating over the port 80. But it’s parent process is another IEXPLORE (380) instance started by our fake svchost.exe (1776). I am stopping here and I am sure you can also find some registry artifacts.

If you try strings command after dumping the memory resident pages from the processes 380, 1080, and 1776, you can see iexplore has been run with argument “;. This would lead you to a blog article. Let’s jot down this information, will be useful for later.

The hint given in the challenge was to reconstruct the c:\windows\system32\drivers\etc\hosts file. The hosts file can be found at the physical offset 0x000000000217b748 (using filescan plugin). Dumping the host file from the memory (using dumpfile plugin) would give the hosts file information.


You can also find the same IP address ( after running the connscan plugin. When we access this IP address, you will see a Nginx page with a welcome message. I added the IP address and the host name in my /etc/hosts file and tried accessing the same page, I got redirected to the same Nginx page. I was wondering where I would have went wrong. They said I will get the flag if I get access to the website. But what I see is just an usual Nginx welcome message. After the contest got over, I was going through my findings and I  found this URL ( “;) in my notes, that I got after dumping the process memory of the IEXPLORE process!

LOL 😀 😀 I forgot to use this link and I did not refer to my findings!! I opened the URL in a browser and I got the flag.


Anyway it was a good learning experience!

SECCON 2016 Forensics 100 VoIP writeup

Challenge description:

Extract a voice.
The flag format is SECCON{[A-Z0-9]}.

A straightforward challenge. It is clearly mentioned that  we need to extract the voice message. Also, you can see the RTP streams when you open the PCAP file in Wireshark.


Get the flag by playing the voice message after extracting the VoIP call from the menu (Telephony -> VoIP calls)

The Flag was : SECCON{{9001IVR}

CSAW CTF 2016 Watchword 250 Forensics

Here is the challenge description,

Canned epic hidden snek flavored cookies have shy gorilla.

password = password

and a link to this video

It’s a mp4 type video. Checking the metadata blob revealed a base64 encoded string,



So the challenge has to do something with the steghide. Check out the challenge description as well, they have mentioned about the passphrase (password = password). Steghide uses a passphrase to embed data in a cover file (only JPEG, BMP, WAV, AU).  We got an MP4 file that steghide won’t support and steghide is part of the challenge.

[Failed attempt]

You may skip reading this part.

The frame movement was little weird, so I thought I would export all the frames as JPEG files and then use steghide. I used this method to export the frames and the recording ratio was set to 1 (with this setting it extracts every frame). Once the video was stopped, there were around 275 frames generated by VLC. You can download the frames from here. Now, I have a set of JPEG images in place, now let’s try to use the [passphrase = “password”] with steghide.


It did not work as expected, the stdout was “steghide: could not extract any data with that passphrase!“… :/ :/. Now what?? Let’s go back to the video and check if there are any signs of hidden files using a hexeditor. And what have we got??


Now let’s extract the PNG image out of it. I had to do it by writing a script, as there were  dependency issues installing binwalk. You could alternatively use foremost as well.

After running the script, we got a PNG image file,


Wow! looks awesome.. but still the fact is steghide won’t support PNG image. Then why steghide was given as a clue in the challenge file? Let’s dig deep.  I repeated almost all the steps from the beginning and I couldn’t find any lead from here. Histogram analysis, LSB, and other standard steganography techniques failed as well. It was little difficult to guess a pattern by just looking at the pixel values.

After an hour or later, the first hint was released, then it was pretty straight forward. The hint was to use stepic. and here is the detailed explanation.

$ stepic –decode –image-in=PNG_Magic.png –out=new_image.jpg

Using stepic we got another image and now it is a JPEG file (new_image.jpg). Finally, the clue given inside the challenge file makes sense,


Let’s pull out the hidden text file from the obtained image,


So here it is,


This doesn’t look like a base64 encoded string. Check the format. Base64 only contains, ‘+ and /’ as special characters, but we have several others (^,|,_,?,} etc). I was unable to crack this last part, which I left to my teammates to solve it. In the mean time there was another hint released [It’s not base64, but it uses the Python 3 base64 module].   Later, couple of my teammates ( dnivra, gokul_krishna) managed to quickly identify the encoding technique and it was found to be base64 b85 type encoding.


So the flag is : flag{We are fsociety, we are finally free, we are finally awake!} Yaaayyyy!!!! 250 on the board!!! 😀 \m/

So summing up,

  1. Extract the png image from the mp4 video,
  2. Use stepic to uncover a jpeg file,
  3. Use steghide to extract a b85 type base64 string,
  4. Decode it and get the flag.

MMA CTF 2015 Forensics stream writeup


I played a CTF after a very long gap. We secured 33rd (team bi0s) position out of 650+ teams in the contest by knocking down 17 challenges.

Download the challenge file from here

The challenge involves the following tasks,

  1. Extract the x-mms-framed binary ( streaming data ) from the given traffic captured file.
  2. Recover the media stream from the x-mms-framed binary.

As per the Microsoft documentation [1] [2],

The file is actually used to stream real time data between client (can be Windows Media Player or VLC etc) and server (Microsoft Media Servers). The receiver of the streaming data is the client and the sender is  server. Unlike HTTP this version of HTTP protocol maintains the state. The protocol attempts to facilitate scenarios where the multimedia file is being transferred and rendered simultaneously. One important thing to notice is, it doesn’t provide a mechanism for a client to discover the URL to the server.

After reading more on the Microsoft documentation I understood we can recover the media streams. So I focused on searching a program which can host this reconstructed file from Wireshark as server and a client which can communicate with the server and decode the media stream as a ASF video file. We used these programs which can do the task. Once after uploading we opened the GetASFStreamer ( client) which decoded and saved the video file where we had the flag. As a note, please use these programs in Windows XP. I did not get the ASF video file saved, when I followed the same steps (mentioned above) in a Windows 7 machine.



So the flag is,





MMA CTF 2015 Splitted writeup Forensics

Download the challenge file from here

The challenge involved, a little bit of thinking to solve in a simple way, if you are unsure about the zip file structure. A zip file was split into 8 different parts and it was sent to the host The task is, reconstruct the fragments of the zip file, arrange it in order adhering to the zip file structure. Once you do it you will get a valid Adobe Photoshop file ( .psd). Then extract the image to view the flag. This works only if you reconstruct the zip file in the order mentioned in the zip file structure. Since it is just a 30 points challenge, I didn’t spend much time in thinking about solving in a proper way. Here is the idea (#lame 😀 :P) I came up with,

  1. Reconstruct the fragments from the Wireshark. If you are doing it by hand make sure to strip the HTTP headers in the beginning. The best way is to Export the HTTP objects. Find my reconstructed fragments from here
  2. Identify the header and footer of a zip file. Zip file header always starts with the magic number 50 4B 03 04 14 00… (HEX), PK…….(ASCII). Now the footer, it looks something like this,footer_zip
  3. You have identified the header and footer. So the number of remaining fragments from the pcap file is 6 (excluding the header and footer) out of 8. So there are 6! (spelled as six factorial) ways to arrange these fragments to get a valid zip file. We just wrote a script using Python to do complete this task (I owe my sincere thanks 😛 to b3h3m0th for helping me with this script).
#!/usr/bin/env python

import itertools
import zipfile
import os

body_n = [1, 3, 4, 6, 7, 8]
header = "2_header.raw"
footer = "5_footer.raw"

def generate_file(sequence, i):
    final_file = "final_" + str(i) + ".zip"
    open(final_file, "w").close()
    final = open(final_file, "a")

    header_data = open(header, "r").read()
    footer_data = open(footer, "r").read()

    for item in sequence:
        d = open(item, "r").read()

        content = zipfile.ZipFile(final_file)
        print "\n\n\n\n [*] permutation", i, "SUCCESS !!! "
        print "\n [i] Successful Sequence:\n\n"
        print header
        for item in sequence:
            print item
        print footer


def main():
    perms = []
    body_list = [str(i) + ".raw" for i in body_n]
    permsobj = itertools.permutations(body_list)
    while True:
            perms += []
        except StopIteration:

    for item in perms:
        generate_file(item, i)
        i = i+1

if __name__ == "__main__":

When you run this script you will get the sequence (2_header.raw, 6.raw, 7.raw, 3.raw.. etc) as well as the valid zip file.

permutationUnzip the valid zip file which is reconstructed using this script. The file name would be When you unzip you will get a psd file. We used a psd file parser to get the layered images. After running the parser on the psd file we got the flag.


One of the image had our flag,


[EDIT] Another way to reconstruct the ZIP file

Here is a elegant way to solve the challenge. I came to know about this method from the comments.


Filter the http packets. When you click on a GET request packet you can see the “Range” field( in the HTTP section). Now carefully look the range of values(Range field) in all the packets, you will notice a sequence, With that we can reconstruct the zip file.

Packet No: 14  Range : 2345-2813

Packet No: 24  Range : 0 – 468

Packet No: 34  Range : 1407 – 1875

Packet No: 44  Range : 2814 – 3282

Packet No: 54  Range : 3283 – 3744

Packet No: 64  Range : 469 – 937

Packet No: 74  Range : 938 – 1406

Packet No: 84  Range : 1876 – 2344

Now order these packets in increasing order and then write it to a file. So the order should be: Packet number : 24, 64, 74, 34, 84, 14, 44, 54. Or export the data streams in these order, rearrange it to get the valid zip file.