MMA CTF 2015 Forensics stream writeup


I played a CTF after a very long gap. We secured 33rd (team bi0s) position out of 650+ teams in the contest by knocking down 17 challenges.

Download the challenge file from here

The challenge involves the following tasks,

  1. Extract the x-mms-framed binary ( streaming data ) from the given traffic captured file.
  2. Recover the media stream from the x-mms-framed binary.

As per the Microsoft documentation [1] [2],

The file is actually used to stream real time data between client (can be Windows Media Player or VLC etc) and server (Microsoft Media Servers). The receiver of the streaming data is the client and the sender is  server. Unlike HTTP this version of HTTP protocol maintains the state. The protocol attempts to facilitate scenarios where the multimedia file is being transferred and rendered simultaneously. One important thing to notice is, it doesn’t provide a mechanism for a client to discover the URL to the server.

After reading more on the Microsoft documentation I understood we can recover the media streams. So I focused on searching a program which can host this reconstructed file from Wireshark as server and a client which can communicate with the server and decode the media stream as a ASF video file. We used these programs which can do the task. Once after uploading we opened the GetASFStreamer ( client) which decoded and saved the video file where we had the flag. As a note, please use these programs in Windows XP. I did not get the ASF video file saved, when I followed the same steps (mentioned above) in a Windows 7 machine.



So the flag is,






MMA CTF 2015 Splitted writeup Forensics

Download the challenge file from here

The challenge involved, a little bit of thinking to solve in a simple way, if you are unsure about the zip file structure. A zip file was split into 8 different parts and it was sent to the host The task is, reconstruct the fragments of the zip file, arrange it in order adhering to the zip file structure. Once you do it you will get a valid Adobe Photoshop file ( .psd). Then extract the image to view the flag. This works only if you reconstruct the zip file in the order mentioned in the zip file structure. Since it is just a 30 points challenge, I didn’t spend much time in thinking about solving in a proper way. Here is the idea (#lame 😀 :P) I came up with,

  1. Reconstruct the fragments from the Wireshark. If you are doing it by hand make sure to strip the HTTP headers in the beginning. The best way is to Export the HTTP objects. Find my reconstructed fragments from here
  2. Identify the header and footer of a zip file. Zip file header always starts with the magic number 50 4B 03 04 14 00… (HEX), PK…….(ASCII). Now the footer, it looks something like this,footer_zip
  3. You have identified the header and footer. So the number of remaining fragments from the pcap file is 6 (excluding the header and footer) out of 8. So there are 6! (spelled as six factorial) ways to arrange these fragments to get a valid zip file. We just wrote a script using Python to do complete this task (I owe my sincere thanks 😛 to b3h3m0th for helping me with this script).
#!/usr/bin/env python

import itertools
import zipfile
import os

body_n = [1, 3, 4, 6, 7, 8]
header = "2_header.raw"
footer = "5_footer.raw"

def generate_file(sequence, i):
    final_file = "final_" + str(i) + ".zip"
    open(final_file, "w").close()
    final = open(final_file, "a")

    header_data = open(header, "r").read()
    footer_data = open(footer, "r").read()

    for item in sequence:
        d = open(item, "r").read()

        content = zipfile.ZipFile(final_file)
        print "\n\n\n\n [*] permutation", i, "SUCCESS !!! "
        print "\n [i] Successful Sequence:\n\n"
        print header
        for item in sequence:
            print item
        print footer


def main():
    perms = []
    body_list = [str(i) + ".raw" for i in body_n]
    permsobj = itertools.permutations(body_list)
    while True:
            perms += []
        except StopIteration:

    for item in perms:
        generate_file(item, i)
        i = i+1

if __name__ == "__main__":

When you run this script you will get the sequence (2_header.raw, 6.raw, 7.raw, 3.raw.. etc) as well as the valid zip file.

permutationUnzip the valid zip file which is reconstructed using this script. The file name would be When you unzip you will get a psd file. We used a psd file parser to get the layered images. After running the parser on the psd file we got the flag.


One of the image had our flag,


[EDIT] Another way to reconstruct the ZIP file

Here is a elegant way to solve the challenge. I came to know about this method from the comments.


Filter the http packets. When you click on a GET request packet you can see the “Range” field( in the HTTP section). Now carefully look the range of values(Range field) in all the packets, you will notice a sequence, With that we can reconstruct the zip file.

Packet No: 14  Range : 2345-2813

Packet No: 24  Range : 0 – 468

Packet No: 34  Range : 1407 – 1875

Packet No: 44  Range : 2814 – 3282

Packet No: 54  Range : 3283 – 3744

Packet No: 64  Range : 469 – 937

Packet No: 74  Range : 938 – 1406

Packet No: 84  Range : 1876 – 2344

Now order these packets in increasing order and then write it to a file. So the order should be: Packet number : 24, 64, 74, 34, 84, 14, 44, 54. Or export the data streams in these order, rearrange it to get the valid zip file.