Insomni’hack teaser 2017 Forensics The Great Escape part-1 writeup


From the given PCAP file you must have noticed the traffic from OSCP, HTTP, FTP, SMTP and TLS protocol. TLS has the actual flag, FTP has the private key to decrypt the TLS traffic and SMTP has the clue that will help us in filtering the traffic of interest i.e the right TLS packets. You can ignore the rest.

The first task is to retrieve the private key file from the FTP traffic. Use the filter “ftp-data” in wireshark. Do a TCP stream, you can see the transferred private key. Save that as a text file ( private_key.txt).


We have the private key and all we have to do is to use it and decrypt the TLS packets. Use the filter “ssl” to see the encrypted traffic.


We have 4+ HTTP servers involved and the important task is to find the right one that has the flag. But how? The answer is in the hint transmitted in the email (SMTP traffic). Use the filter “smtp” and read the contents of the email. You can see the sender informing about moving the code from Swiss Secure Cloud to May be the flag was transmitted here!


The two addresses found in the email points to : 443. So this might be the right IP address we are looking for.


To confirm, see if there is any traffic originating from in the PCAP file. You will see the encrypted traffic. Let’s use all the information we gathered from the SMTP protocol ( IP :, PORT : 443) and FTP (the private key) to decrypt the SSL traffic.

Go to Edit->Preferences->Protocols->SSL. In the RSA key list add all the information we got. The protocol should be http as the port no for is 443 ( default for https).


Use the filter “ip.addr== and http”. You can see the deciphered traffic.

I was searching for the flag inside the transferred files ( File -> Export-> HTTP objects) but it was not there, after a while I found it in the HTTP header.



SECCON 2016 Forensics 100 VoIP writeup

Challenge description:

Extract a voice.
The flag format is SECCON{[A-Z0-9]}.

A straightforward challenge. It is clearly mentioned that  we need to extract the voice message. Also, you can see the RTP streams when you open the PCAP file in Wireshark.


Get the flag by playing the voice message after extracting the VoIP call from the menu (Telephony -> VoIP calls)

The Flag was : SECCON{{9001IVR}

MMA CTF 2015 Forensics stream writeup


I played a CTF after a very long gap. We secured 33rd (team bi0s) position out of 650+ teams in the contest by knocking down 17 challenges.

Download the challenge file from here

The challenge involves the following tasks,

  1. Extract the x-mms-framed binary ( streaming data ) from the given traffic captured file.
  2. Recover the media stream from the x-mms-framed binary.

As per the Microsoft documentation [1] [2],

The file is actually used to stream real time data between client (can be Windows Media Player or VLC etc) and server (Microsoft Media Servers). The receiver of the streaming data is the client and the sender is  server. Unlike HTTP this version of HTTP protocol maintains the state. The protocol attempts to facilitate scenarios where the multimedia file is being transferred and rendered simultaneously. One important thing to notice is, it doesn’t provide a mechanism for a client to discover the URL to the server.

After reading more on the Microsoft documentation I understood we can recover the media streams. So I focused on searching a program which can host this reconstructed file from Wireshark as server and a client which can communicate with the server and decode the media stream as a ASF video file. We used these programs which can do the task. Once after uploading we opened the GetASFStreamer ( client) which decoded and saved the video file where we had the flag. As a note, please use these programs in Windows XP. I did not get the ASF video file saved, when I followed the same steps (mentioned above) in a Windows 7 machine.



So the flag is,





MMA CTF 2015 Splitted writeup Forensics

Download the challenge file from here

The challenge involved, a little bit of thinking to solve in a simple way, if you are unsure about the zip file structure. A zip file was split into 8 different parts and it was sent to the host The task is, reconstruct the fragments of the zip file, arrange it in order adhering to the zip file structure. Once you do it you will get a valid Adobe Photoshop file ( .psd). Then extract the image to view the flag. This works only if you reconstruct the zip file in the order mentioned in the zip file structure. Since it is just a 30 points challenge, I didn’t spend much time in thinking about solving in a proper way. Here is the idea (#lame 😀 :P) I came up with,

  1. Reconstruct the fragments from the Wireshark. If you are doing it by hand make sure to strip the HTTP headers in the beginning. The best way is to Export the HTTP objects. Find my reconstructed fragments from here
  2. Identify the header and footer of a zip file. Zip file header always starts with the magic number 50 4B 03 04 14 00… (HEX), PK…….(ASCII). Now the footer, it looks something like this,footer_zip
  3. You have identified the header and footer. So the number of remaining fragments from the pcap file is 6 (excluding the header and footer) out of 8. So there are 6! (spelled as six factorial) ways to arrange these fragments to get a valid zip file. We just wrote a script using Python to do complete this task (I owe my sincere thanks 😛 to b3h3m0th for helping me with this script).
#!/usr/bin/env python

import itertools
import zipfile
import os

body_n = [1, 3, 4, 6, 7, 8]
header = "2_header.raw"
footer = "5_footer.raw"

def generate_file(sequence, i):
    final_file = "final_" + str(i) + ".zip"
    open(final_file, "w").close()
    final = open(final_file, "a")

    header_data = open(header, "r").read()
    footer_data = open(footer, "r").read()

    for item in sequence:
        d = open(item, "r").read()

        content = zipfile.ZipFile(final_file)
        print "\n\n\n\n [*] permutation", i, "SUCCESS !!! "
        print "\n [i] Successful Sequence:\n\n"
        print header
        for item in sequence:
            print item
        print footer


def main():
    perms = []
    body_list = [str(i) + ".raw" for i in body_n]
    permsobj = itertools.permutations(body_list)
    while True:
            perms += []
        except StopIteration:

    for item in perms:
        generate_file(item, i)
        i = i+1

if __name__ == "__main__":

When you run this script you will get the sequence (2_header.raw, 6.raw, 7.raw, 3.raw.. etc) as well as the valid zip file.

permutationUnzip the valid zip file which is reconstructed using this script. The file name would be When you unzip you will get a psd file. We used a psd file parser to get the layered images. After running the parser on the psd file we got the flag.


One of the image had our flag,


[EDIT] Another way to reconstruct the ZIP file

Here is a elegant way to solve the challenge. I came to know about this method from the comments.


Filter the http packets. When you click on a GET request packet you can see the “Range” field( in the HTTP section). Now carefully look the range of values(Range field) in all the packets, you will notice a sequence, With that we can reconstruct the zip file.

Packet No: 14  Range : 2345-2813

Packet No: 24  Range : 0 – 468

Packet No: 34  Range : 1407 – 1875

Packet No: 44  Range : 2814 – 3282

Packet No: 54  Range : 3283 – 3744

Packet No: 64  Range : 469 – 937

Packet No: 74  Range : 938 – 1406

Packet No: 84  Range : 1876 – 2344

Now order these packets in increasing order and then write it to a file. So the order should be: Packet number : 24, 64, 74, 34, 84, 14, 44, 54. Or export the data streams in these order, rearrange it to get the valid zip file.

Seccon 2014 Writeups Networking 100 and Programming 100

Missed out lot of challenges due to exams, but could complete only the basic one’s. Here is the writeup for the 2 challenges solved during the contest!

Networking 100

Download the pcap here

The first networking challenge was an easy one. If you dump the http objects you can see an html page stating that the credentials given for validation was wrong. If you look into packet no 23 you can see the same user logging in successfully. So the username and password given for validation must be correct and the credentials can be found in HTTP request. You can see them in packet no 21. The credentials were,

username : seccon2014

password : YourBattleField


When you use the credentials after logging into the page you will notice a key.html file, when you click it, you can see the flag!


Programming 100

There is a service running in the following address The service throws a list of numbers for more than 50 times and it will be asking us either to find either the maximum or minimum among the list. I wrote a script which can parse and automate the response to the service,

import socket

def netcat(hostname, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((hostname, port))
    while 1:
        numbers = []
        data = s.recv(902400)
        print data
        server = data.split('\n')
        values = server[0].split(',')
        for i in values:
            except ValueError:
            if server[1].find('max') > 0:
                print 'Sent:',max(numbers)
            elif server[1].find('min') > 0:
                print 'Sent:',min(numbers)
        except ValueError:

    print "Connection closed."


After some 5 minutes I got the flag to be,


The Flag is SECCON{Programming is so fun!}

CSCamp CTF 2014 Forensics 100 writeup netcat, Cryptcat Who Cares?


Download the challenge file from here.

Given a pcap file and we were asked to submit the hash of the encrypted file after reconstructing it. The challenge title will help you to get started. First I tried to learn the differences between netcat and cryptcat tools. Netcat is an opensource application which can read and write files to the network. Netcat can also be used to create backdoors ;). But netcat doesn’t encrypt the data during transit. If we can sniff the packets we can get the transferred files in clear text. The only disadvantage of using netcat. In order to fill the gap, Hobbit came up with a slightly modified version of nc called as Crypcat. It essentially scrambles the conversation using the Twofish encryption method. Twofish is an symmetric key encryption algorithm which takes a secret key as an argument to encrypt as well as to decrypt the conversation. Now, all the files/conversations which are transferred will be encrypted using the Twofish+shared secret key. Only those who know the secret key can alone will be able to see the message after decryption.

Our goal is to find the binary file which is encrypted and transferred using cryptcat. One more thing you have to understand here is, Cryptcat doesn’t use a SSL protocol to transfer files. They encrypt the data with the Twofish algorithm and resulting data will be sent across the network either using TCP or UDP protocol. So here is another question, “How are we going to categorize the encrypted data and normal data from the TCP stream. Here is some of my thoughts,

1 .Crypcat files are transferred between machines. Since it is a CTF contest, most likely between 2 machines having private address.

2. Since cryptcat and netcat uses TCP/UDP protocol, you can ignore the rest (like SSDP, SSL etc) from the pcap file.

3. You don’t need the Microsoft update files (.psf), which can be seen in the beginning – Microsoft doesn’t use Cryptcat to do them

4.  You don’t have look into SSDP protocol, which relies on UDP. The protocol just advertises the broadcast packets and to discover devices. Our purpose is different here.

When you ignore the aforementioned protocols only TCP will left out.  So apply the filter “tcp” in wireshark to find out the IP addresses of the machines which used cryptcat to transfer files. The IP addresses are and Use this filter “ip.src== and ip.dst==” to get the complete conversation. As I said earlier in-order to encrypt the conversation we use cryptcat with a shared secret key. When you go through the packets, you can see that initially the conversation has happened using netcat, which will not encrypt the conversation.


You can find the secret key in those packets, which will be used to encrypt the rest of the conversations. As per the conversation shown here, herp requested derp to communicate securely using cryptcat and the secret key (Dagaga).


Also herp has sent the actual cryptcat application ( in DOS) for derp to communicate . You can find the executable in packet number 7036.


You need to extract the executable first. Because you are going to use the same executable to decrypt the encrypted conversation. Herp once again notifies derp that he has sent the executable and the secret key. You can see the message in the packets from 7091 to 7291. Packets from 7301 to 7980 are encrypted using the secret key. If you look at the packet 7692’s size, you will understand that a file has been transferred. The question here would be “How are we going to decrypt the encrypted binary file?”. I tried resending the entire pcap file with the secret key to decrypt the encrypted streams. You can do like this in your machine,

$ cryptcat -l -k Dagaga -p 7070 < pcaponly.pcap  -> Machine 1
$ cryptcat -k Dagaga 7070 > file.pcap   -> Machine 2

Obviously I got the same contest file again since we are encrypting the encrypted packets again. Then I thought to reconstruct the encrypted file alone (found in packet no 7692) and decrypt it using an online tool. It didn’t click anyway.  Before using that you have to pull it out of the stream.


As expected the file type is a raw data, since the binary file’s header should also got encrypted.

➜  100 [0] file binary1.dat                                                    
binary1.dat: data

Then I used openssl to decrypt it, failed again. Well I ran out of options and was thinking for a solution. We need a mechanism which can decrypt a file, while it is in transit. I remembered my early days where I used to copy small files using netcat. This has really helped me to solve this problem. Usually I use netcat like this to copy a file from one machine to another,

$ nc -l portno < filename.extension                 --> server end
$ cat filename.extension | nc client_ip port_no         --> client end

This is how it works, while transferring a file from server we will concatenate each and every bit of the same file at the other end. Similarly I used netcat to send the encrypted file from my linux machine and on the other side I used cryptcat( found from the pcap file) to decrypt the file by specifying the secret key.


final.exe and binary1.dat are the reconstructed cryptcat application and encrypted file respectively. is my Windows machine’s IP address. Once when the file is transferred, check the whether file type is still the raw data or changed to something else!

➜  100 [0] file named.dat                                                      
named.dat: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

Yes!!!! 😀 it did change! So the encrypted file is actually a windows binary! Now calculate the md5sum to get the flag,

➜  100 [0] md5sum named.dat                                                    
32170cab0f59ce6e1fc8df51a757cc99  named.dat

This is how I solved the challenge. The flag is 32170cab0f59ce6e1fc8df51a757cc99

Let me know if there are any alternate method to solve it! 🙂

SECURE CTF 2014 Writeup

Task – 1

Not solved!

Task – 2: Great Number

They gave this question and we were asked to find the flag.

FLAG = ( 31337 +  X  ) / 31337

NOTE: You should get ascii text !
NOTE2: We re-uploaded correct ‘X’.

and the value of X was 20609038575248457690773428127436065356620526665061920

I thought I have to break my head to solve this math challenge, but it was not after looking at the hint given in the source page. The hint was “<!– h–>”. Decode it to hex! Before that, it is good to divide before you add anything! I divided the value of X after adding 1 with 31337. Then convert the resulting integer to hex and finally decode the hex string, you will see the flag!


The Flag was : ‘s2k14_WowSoBigInt!!!’

Task – 3: Capture the Memories

To solve this challenge you need to download this file,

Initially I assumed that I need to figure out a way to decrypt the SSL packets and then to find the flag. But when I went through the first packet, I dropped my assumption. It was very easy then!


So you just have to xor 2 strings to get the flag!,

str1 = '0x0b4a13494c272b190130112c17301d190a0c1a141d1d1c391f191116';
str2 = '0x78787878787878787878787878787878787878787878787878787878'
xorstr = ''
for pair in zip(str1[2:].decode('hex'), str2[2:].decode('hex')):
    xorstr += chr(ord(pair[0]) ^ ord(pair[1]))
print xorstr

Running the program gives the flag : s2k14_SayHiToHeartbleedAgain

Task 4 : Much Difference, So Stegano WOW

They image to be solved is given here below,


When you try to view the image in Green Plan 0 or in any Random Color Map, the flag will be clear,


Task 5 – Do not Stop the Run

I couldn’t submit the flag before the contest time! But happy that I solved it!

A link was given and when you click, it redirects to http://do.not.sleep ! When I viewed the source code, I got this hint “<!– use as domain resolver 🙂 –>”. Then I added the IP address ( of in the resolv.conf file as mentioned in the hint. After adding it once again I tried accessing the link, still the error was thrown saying “Server was not found”. When you start with digging the nameserver, you will notice the flag soon.

➜  CTF [0] dig do.not.sleep                                                                                                                                                      

;;DiG 9.9.5-3-Ubuntu &amp;amp;amp;lt;&amp;amp;amp;lt;&amp;amp;amp;gt;&amp;amp;amp;gt; do.not.sleep
;; global options: +cmd
;; Got answer:
;; &amp;lt;&amp;lt;HEADER&amp;gt;&amp;gt;- opcode: QUERY, status: NOERROR, id: 11453
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;do.not.sleep.            IN    A

do.not.sleep.        1    IN    CNAME

;; Query time: 195 msec
;; WHEN: Fri Oct 17 00:40:04 IST 2014
;; MSG SIZE  rcvd: 75

Find the IP addresses of the subdomains and find it’s alias, you will get the flag ( I am assuming what I found is the correct flag since the flag format specified in the rules page is found to be s2k14_[a-zA-Z0-9]* (<-readable text!!!) and it matches mine except for the underscore(“_”)) has address is an alias for has address is an alias for is an alias for

<strike>The Flag was the alias of a domain name!</strike>

This is not the flag it seems. From here I have to take some more steps to reach the flag. Will update once after finding the proper flag.