The file contains a flag, find it.
In this challenge, we are provided with a packet capture (pcap) file. Let’s start off by examining this pcap file in Wireshark.
As seen in the image above, we noticed a whole lot of Network File System (NFS) protocol packets being exchanged. This could perhaps hint to a file transfer taking place. Let’s have a look at this by following the TCP stream of this communication.
While looking through the data, we observe the presence of the string
%PDF-1.5, which is the header for a PDF file. We can now conclude that a PDF file has been transmitted in this exchange, and proceed to attempt to recover the file.
In order to recover the file, we’ll set the
Show and save data as option in Wireshark to
Raw and proceed to export the file. Since some PDF readers aren’t really too strict on stuff preceding the PDF header, we’ll just try our luck and save the file with a
At the point, we can actually view the flag directly in the macOS finder preview window as seen above. However, let’s work with the assumpution that this doesn’t work in the interest of a more interesting writeup.
The image above when we open the image in Preview - all we get is a black page. Additionally, opening the PDF in chrome would just outright throw us an error. We can actually resolve this (and most other CTF challenges with hidden elements in PDFs) by converting the PDF into HTML.
[email protected]:/vagrant/simpletransfer$ pdftohtml transfer.pdf Syntax Warning: May not be a PDF file (continuing anyway) Syntax Error (12766): Illegal character ')' Syntax Error (327972): Unexpected end of file in flate stream Page-1 [email protected]:/vagrant/simpletransfer$ ls -l total 6252 -rw-r--r-- 1 ubuntu ubuntu 419445 Aug 27 17:04 transfer-1_1.png -rw-r--r-- 1 ubuntu ubuntu 317 Aug 27 17:04 transfer.html -rw-r--r-- 1 ubuntu ubuntu 195 Aug 27 17:04 transfer_ind.html -rw-r--r-- 1 ubuntu ubuntu 5966792 Aug 27 17:04 transfer.pdf -rw-r--r-- 1 ubuntu ubuntu 732 Aug 27 17:04 transfers.html
As seen above,
transfers.html was generated from
transfer.pdf using the tool
When we open
transfers.html and scroll to the bottom, we can see the flag.