MMA CTF 2015 Forensics stream writeup

MMA_CTF_Scoreboard

I played a CTF after a very long gap. We secured 33rd (team bi0s) position out of 650+ teams in the contest by knocking down 17 challenges.

Download the challenge file from here

The challenge involves the following tasks,

  1. Extract the x-mms-framed binary ( streaming data ) from the given traffic captured file.
  2. Recover the media stream from the x-mms-framed binary.

As per the Microsoft documentation [1] [2],

The file is actually used to stream real time data between client (can be Windows Media Player or VLC etc) and server (Microsoft Media Servers). The receiver of the streaming data is the client and the sender isĀ  server. Unlike HTTP this version of HTTP protocol maintains the state. The protocol attempts to facilitate scenarios where the multimedia file is being transferred and rendered simultaneously. One important thing to notice is, it doesn’t provide a mechanism for a client to discover the URL to the server.

After reading more on the Microsoft documentation I understood we can recover the media streams. So I focused on searching a program which can host this reconstructed file from Wireshark as server and a client which can communicate with the server and decode the media stream as a ASF video file. We used these programs which can do the task. Once after uploading we opened the GetASFStreamer ( client) which decoded and saved the video file where we had the flag. As a note, please use these programs in Windows XP. I did not get the ASF video file saved, when I followed the same steps (mentioned above) in a Windows 7 machine.

stream_capture

stream

So the flag is,

mma_Ctf

References:

[1] https://msdn.microsoft.com/en-us/library/cc251059.aspx

[2] https://msdn.microsoft.com/en-us/library/cc251177.aspx

Advertisements