{"id":912,"date":"2015-09-10T00:45:50","date_gmt":"2015-09-09T22:45:50","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=912"},"modified":"2015-09-10T00:49:59","modified_gmt":"2015-09-09T22:49:59","slug":"mma-2015-forensics-warmup-splitted-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2015\/09\/10\/mma-2015-forensics-warmup-splitted-write-up\/","title":{"rendered":"[MMA 2015] [Forensics \/ Warmup – Splitted] Write up"},"content":{"rendered":"

Description<\/h2>\n

Nous nous retrouvons avec une archive<\/a> contenant une capture r\u00e9seau.<\/p><\/blockquote>\n

<\/p>\n

Resolution<\/h2>\n

Tout d’abord, nous avons ouvert le fichier .pcap avec wireshark.<\/p>\n

En quelques secondes on se rend compte que la capture contient le t\u00e9l\u00e9chargement en plusieurs parties d’un fichier flag.zip, int\u00e9ressant !<\/p>\n

\"wireshark<\/a>On exporte alors tous ces fichiers, ce qui nous fait 8 parties de fichier zip.<\/p>\n

Gr\u00e2ce au header http \u00ab\u00a0Content-Range\u00a0\u00bb nous pouvons retrouver l’ordre dans lequel renommer les fichier .zip extraits.<\/p>\n

| File N | Range |\r\n|----------------|\r\n| 1\u00a0\u00a0\u00a0\u00a0\u00a0 | 0\u00a0\u00a0\u00a0\u00a0 |\r\n| 5\u00a0\u00a0\u00a0\u00a0\u00a0 | 469\u00a0\u00a0 |\r\n| 6\u00a0\u00a0\u00a0\u00a0\u00a0 | 938\u00a0\u00a0 |\r\n| 2\u00a0\u00a0\u00a0\u00a0\u00a0 | 1407\u00a0 |\r\n| 7\u00a0\u00a0\u00a0\u00a0\u00a0 | 1876\u00a0 |\r\n| 0\u00a0\u00a0\u00a0\u00a0\u00a0 | 2345\u00a0 |\r\n| 3\u00a0\u00a0\u00a0\u00a0\u00a0 | 2814\u00a0 |\r\n| 4\u00a0\u00a0\u00a0\u00a0\u00a0 | 3283\u00a0 |\r\n<\/pre>\n
On renomme alors \u00e0 la main, les fichiers export\u00e9s en part-x.zip, en suivant l’ordre du \u00ab\u00a0Content-Range\u00a0\u00bb.<\/p>\n
On assemble le zip puis on extrait l’archive.<\/p>\n
\r\n$ cat part-*.zip > assembled.zip\r\n$ unzip .\/assembled.zip<\/pre>\n
Archive:\u00a0 .\/assembled.zip
\ninflating: flag.psd<\/code><\/p>\n
$ file flag.psd<\/pre>\n
flag.psd: Adobe Photoshop Image, 640 x 400, RGB, 3x 8-bit channels<\/code><\/p>\n
Oh, un fichier psd, voyons voir le contenu de ses calques.<\/p>\n
\r\n$ convert flag.psd flag.png\r\n$ ls *.png<\/pre>\n
flag-0.png\u00a0 flag-1.png\u00a0\u00a0 \u00a0flag-2.png<\/code><\/p>\n
Le calque extrait dans le fichier flag-1.png contient le flag !<\/p>\n
\"flag\"<\/a>Le flag est : MMA{sneak_spy_sisters}<\/p>\n","protected":false},"excerpt":{"rendered":"
Description Nous nous retrouvons avec une archive contenant une capture r\u00e9seau.<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,35,52],"tags":[31,47,42,56],"class_list":["post-912","post","type-post","status-publish","format-standard","hentry","category-2015-fr","category-ctf-fr","category-mma-2015-fr","tag-forensics","tag-mma","tag-wireshark","tag-warmup"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=912"}],"version-history":[{"count":10,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/912\/revisions"}],"predecessor-version":[{"id":930,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/912\/revisions\/930"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}