Forensics

The words flew but writing remains

This one gives us a very small pcap.

There’s some snmp traffic that. The first packet does a request and gets this data.

echo 4d:46:47:3a:48:65:77:6c:65:74:74:2d:50:61:63:6b:61:72:64:3b:4d:44:4c:3a:48:50:20:4c:61:73:65:72:4a:65:74:20:50:72:6f:66:65:73:73:69:6f:6e:61:6c:20:4d:31:32:31:37:6e:66:77:20:4d:46:50:3b:43:4d:44:3a:5a:4a:53:2c:48:42:53:2c:55:52:46:2c:50:43:4c:6d:2c:50:4a:4c:2c:41:43:4c:2c:48:54:54:50:3b:43:4c:53:3a:50:52:49:4e:54:45:52:3b:44:45:53:3a:48:50:20:4c:61:73:65:72:4a:65:74:20:50:72:6f:66:65:73:73:69:6f:6e:61:6c:20:4d:31:32:31:37:6e:66:77:20:4d:46:50:3b:46:57:56:45:52:3a:32:30:31:32:30:39:30:31:3b:43:49:44:3a:48:50:4c:4a:50:43:4c:4d:53:4d:56:31:3b | xxd -r -p

MFG:Hewlett-Packard;MDL:HP LaserJet Professional M1217nfw MFP;CMD:ZJS,HBS,URF,PCLm,PJL,ACL,HTTP;CLS:PRINTER;DES:HP LaserJet Professional M1217nfw MFP;FWVER:20120901;CID:HPLJPCLMSMV1;

So there’s a printer at the ip 192.168.1.120.

The next interesting packet is a SMPP (Short Message Peer to Peer)

Smmp packets

If we follow the tcp stream we end up with the following

.E.%-12345X@PJL ENTER LANGUAGE=ZJS
JZJZ...4.........$ZZ.................

...

12345x@PJL indicates that it’s a command send to a printer. PJL stands for Printer Job Language. Enter Language=ZJS indicate that the following is a ZJS (Zenographics ZjStream) message.

We can also see the JZJZ that is the header of the file indicating that it’s a ZJS file. We’ll save the conversation as raw.

file printjob 

printjob: HP PCL printer data

I tried multiple website to convert my pcl job as image but none of them worked. I also tried ghostpcl and the ZJStream format prevents it from working correctly.

So i decided to take out the first line of the file and leave the rest.

file printjob 

printjob: Zenographics ZjStream printer data (big-endian)

I went ahead and downloaded a program to preview ZjStream, i found one called O&K Printer Viewer for Windows :( . If we pass the file printjob we get that we were looking for.

I really tried to make it work in linux but after an hour i gave up.

Flag

The flag is FLAG-0CbxosBsb5TR3v0kPEtp