Description
Why is the sky blue?
We are given a PCAP file containing some Bluetooth traffic. The flag has probably been transmitted between the devices. Let’s see what files has been sent.
[Megabeets]$: binwalk -e blue.pcap DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 40535 0x9E57 PNG image, 1400 x 74, 8-bit colormap, non-interlaced
Binwalk found a PNG image but couldn’t export it. I opened Wireshark and searched for the string “PNG” in the packet bytes. I found the 7 packets containing the PNG and exported their packet bytes (i.e Only the DATA, without the header bytes of each packet: 02 0C 20 FC 03 F8 03 47 00 63 EF E6 07). I then concatenated the output files using HxD,
and deleted the extra data preceding the PNG file header.
We now have the PNG file which is the flag:
Eat Veggies
no matter what I did my PNG was always corrupted and I was not able to open it 🙁
I did exact steps as in your wtire-up but I still get the same negative results 🙁
Did you delete the extra bytes in the beginning? If so, try open the file with MSPaint or view the thumbnail in explorer, it should work.
You can also upload the file and send me a link so I can look at it.
~ Itay
I did deleted the the beginning bytes. Did you deleted the last line of each data file containing:
“0400 0e .”
this is the my hex extract from pcap: http://pastebin.com/GJHd4M5u
I use xxd -r -p to convert to binary (it should be the same as HxD for win)
the png that I get is all messed up (but it opens in windows, not linux) not too sure how to send png file to you
Oh I see what the problem is. You didn’t delete the header (02 0C 20 FC 03 F8 03 47 00 63 EF E6 07) of each packet. You need to keep only the data. Here is an edited version of your image: http://pastebin.com/5PYyY6E3
I just deleted the headers. You can see the flag.
edit:
The image: https://oi65.tinypic.com/xkxbgx.jpg
~ Itay
What is the program you use to concatenated file? I found 7 packets but I cant concatenate it (try to use hjsplit). I’m just a newbie
Hi, as said in the post I used HxD, it’s my preferred Hex editor and it has concatenate feature.
In the menu click on Extras > File tools > Concatenate
Look at the comments above, and be sure to fully understand what in the packet is the headers and what is the image.
Feel free to ask any question you have.
And by the way, ASIS CTF was about a month ago, how did you got to this just now?
Thank you for your help. As i said i’m just a newbie so i’m finding the old forensic exams to understand and know what need to do in the next ctf event.