THE
WHITE
CIRCLE

forensics

Cyber Apocalypse 2024

Phreaky

Solved by : thewhiteh4t, Starry-Lord

The manual way: This challenge comes with a packet capture file (.pcap) so wireshark it is.

attachment in multiple parts

From this we can see that this b64 can be unziped with the passwords coming with each stream. We then need retrieve all 15 of them and use the corresponding unzip password.

We can copy all 15 parts and then merge them together to get the final pdf, with

cat file > phreaks_plan.pdf
cat file 2 >> phreaks_plan.pdf

retrieve all parts

Automated solution using a python script :

  • automatically find and extract zip files and passwords
  • concatenate PDFs into one
  • read PDF and get the flag
    from scapy.all import *
    from zipfile import ZipFile
    from base64 import b64decode
    from pypdf import PdfReader
    
    tcp_streams = {}
    flag_pdf = 'flag.pdf'
    flag_pdf_bytes = bytes()
    
    pkts = rdpcap('./phreaky.pcap')
    for pkt in pkts:
        if not pkt.haslayer(TCP):
            continue
        if not hasattr(pkt[TCP], 'load'):
            continue
        src_ip = pkt[IP].src
        src_port = pkt[TCP].sport
        dst_ip = pkt[IP].dst
        dst_port = pkt[TCP].dport
        tcp_tuple = (src_ip, src_port, dst_ip, dst_port)
    
        if tcp_tuple in tcp_streams:
            tcp_streams[tcp_tuple] += pkt[TCP].load
        else:
            tcp_streams[tcp_tuple] = pkt[TCP].load
    
    for stream_key, stream_data in tcp_streams.items():
        if b'Secure File Transfer' not in stream_data:
            continue
        data = stream_data.decode('utf-8', errors='ignore')
    
        if 'Content-Type: multipart/mixed;' not in data:
            continue
    
        parts = data.split('Content-Type:')[1:]
    
        for part in parts:
            if 'Password' in part:
                password = part.split('Password:')[1].split('\r\n\r\n')[0].strip()
            if 'Content-Disposition: attachment;' in part:
                filename = part.split('filename*1="')[1].split('.zip"')[0] + '.zip'
                attachment = part.split('\r\n\r\n')[1].replace('\r\n', '').strip()
                print(f'Found : {filename} -> Password : {password}')
                with open(filename, 'wb') as outfile:
                    outfile.write(b64decode(attachment))
                with ZipFile(filename) as zf:
                    zip_out = zf.infolist()[0].filename
                    pswd = password.encode()
                    zf.extractall(pwd=pswd)
                    print(f'Extracted : {zip_out}')
    
                with open(zip_out, 'rb') as pdf_part:
                    flag_pdf_bytes += pdf_part.read()
    
    with open(flag_pdf, 'wb') as flag_out:
        flag_out.write(flag_pdf_bytes)
        print(f'\nFinal PDF Saved : {flag_pdf}')
    
    reader = PdfReader(flag_pdf)
    num_pages = len(reader.pages)
    pdf_text = ''
    for num in range(num_pages):
        curr_page = reader.pages[num]
        pdf_text += curr_page.extract_text()
    
    for line in pdf_text.split('\n'):
        if 'HTB{' in line:
            flag = 'HTB' + line.split('HTB')[1].split('}')[0] + '}'
            print(flag)


HTB{Th3Phr3aksReadyT0Att4ck}
Published on : 16 Mar 2024