RingZer0-35 - Forensics - Poor Internet Connection

Poor Internet Connection

Another pcap. We start by looking at the protocol hierarchy. There’s a few http packets.

Http Packets

We see there’s two GET requests one for a secret.txt and another for flag.zip

The secret.txt is easy to get, a simple Follow tcp stream shows us the content.

GET /secret.txt HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: 192.168.1.130
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 11 Feb 2014 01:58:27 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Tue, 11 Feb 2014 01:18:08 GMT
ETag: "163b39-2c-4f2173a986d9c"
Accept-Ranges: bytes
Content-Length: 44
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain

the password for zip file is : ZipYourMouth

If we follow the tcp stream of the flag.zip, we’ll get the header and the data. We’ll save it as raw into a file called zip. We’ll take out the 17 first line in the file, so we end up with only the data of the zip file.

If we try to unzip it we get an error.

tail -n +18 zip > newzip 

unzip newzip

Archive: newzip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of zip or
        zip.zip, and cannot find zip.ZIP, period.

This makes sense with the name of the challenge “Poor internet connection”. So the file is not fully downloaded, we can also confirmed that by looking at the end of the file. Zip files has a central directory record at the end of the file containing the archive struture. This one does not have it.

If we go back to the pcap and look at the Conversations in the file, we noticed that there’s 3 of them.

Conversations

The second one is the secret.txt file, the third one is the beginning of our zip file. If we follow the first one tcp stream, we can see that at the end of the stream we have something like this

...5 ..-..XG.....^.*;T}()..x..[<?......PK..h..d)......>PK..
.	.....JD..7.............flag.txtUT	..Ew.R.w.Rux..............&..F{.....h?%v
...11+.L.....APK....7.........PK......	.....JDh..d)......>	.................garbage.0UT...(..Rux.............PK....
.	.....JD..7.......................|...flag.txtUT...Ew.Rux.............PK....................

PK is the file header and we got what looks like a central directory. There’s a flag.txt and garbage.OUT in the flag.zip file.

The packets are not in order. The first tcp stream is actually the last one.

We’ll save the tcp stream as raw and name it lastzip. We’ll add the content of the lastzip at the end of the file newzip then unzip it using the password ZipYourMouth

cat newzip lastzip > finalzip

 unzip finalzip
 
Archive:  finalzip
warning [finalzip]:  978849 extra bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  978849
  (attempting to re-compensate)
[finalzip] garbage.0 password: 
  inflating: garbage.0               
  error:  invalid compressed data to inflate
file #2:  bad zipfile offset (local header sig):  1017724
  (attempting to re-compensate)
 extracting: flag.txt

We got what we need the flag.txt

cat flag.txt 

Flag-qscet5234diQ

The flag is Flag-qscet5234diQ