Hexcellents CTF Wiki

Codegate 2014: "WeirdShark" 150 pts

The challenge presented itself as a PCAP file suitable for opening with Wireshark. However, upon opening the file, we noticed that it was corrupted:

The capture file appears to be damaged or corrupt.
(pcapng_read_packet_block: total block length 96 of EPB is too small for 4270407998 bytes of packet data)

While we found the check that generated the error message[1] and the PCAP file format[2], there was nothing that seemed to relate the two. Nevertheless, some further googling yielded pcapfix[3], which attempts to fix corrupted PCAP files and also comes in an online version.

We used pcapfix and attempted to open the packet capture again, but it seems that there are still some issues with it:

The capture file appears to be damaged or corrupt.
(pcapng_read_packet_block: cap_len 64 is larger than packet_len 62.)

Looking back at [2], we saw that each packet stored in a PCAP file has some metadata associated with it:

typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

The format description also mentions that incl_len should never become greater than orig_len, which is exactly the reason why the capture was still corrupted. The source code [4] seemed to hint as much.

So the next step was to open a hex editor and look for 0x40 0x00 0x00 0x00 0x3E 0x00 0x00 0x00. Luckily, there is only such occurence at offset 304. After changing 0x40 to 0x3E so the error condition would no longer be triggered, the file was successfully opened by Wireshark.

The capture seems to contain a series of GET requests for several files:

  • favicon.ico
  • mario.png
  • obama.bmp
  • codegate.jpg
  • multiple.pdf
  • grayhash.jpg

All of these can be exported with Wireshark using File → Export Objects → HTTP. Of all the files recovered, only multiple.pdf was relevant as it contained the flag:

FLAG = FORENSICS_WITH_HAXORS

[1] https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wiretap/pcapng.c;h=72b2c2aed3b5e5f957dc3d35bbe507657911b251;hb=HEAD#l1068

[2] http://wiki.wireshark.org/Development/LibpcapFileFormat

[3] http://f00l.de/pcapfix/

[4] https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wiretap/pcapng.c;h=72b2c2aed3b5e5f957dc3d35bbe507657911b251;hb=HEAD#l1095

writeups/codegate2014_weird_shark.txt · Last modified: 2014/04/23 07:37 by vladum
[unknown link type]Back to top