ReadingRainbow - 3_Data

TamuCTF 2019 - Forensic (100 pts).

Challenge details

Event Challenge Category Points Solves
TamuCTF 2019 ReadingRainbow - 3_Data Forensic 100 122

Download: capture.pcap - md5: e36ff23c6995e3595035982cced6c6a9


  1. What compression encoding was used for the data?
  2. What is the name and type of the decompressed file? (Format: NAME.TYPE e.g. tamuctf.txt)

Difficulty: medium-hard

capture.pcap - md5: e36ff23c6995e3595035982cced6c6a9


I extracted ICMP, HTTP and DNS data with wireshark and tshark than I scripted with python and finally identified a gzip file.


Before answering the questions, it will be necessary to find a way to recover the original file. We know that the attacker used HTTP, DNS and ICMP protocols between IP (attacker) and (webserver) to extract his file. We will, therefore, use the following filter and save only the displayed packets to make a lightened PCAP file:

ip.src == && ip.dst == && (http || dns || icmp)

3_exfil_chall11.png Fig 1: Lightweight PCAP

We go from 15k packets to 117, it’s still more pleasant to analyze.

Get data from ICMP

ICMP data is sent in hexadecimal when decoding on the fly with xxd piped to tshark there is no more line break and the data becomes difficult to analyze. For that, there is sed which will add more returns to the line:

▶ tshark -r exfil.pcap -Y "icmp" -Tfields -e "data.text" | xxd -r -p | sed 's/SEx4IRV/\nSEx4IRV/g'

▶ tshark -r exfil.pcap -Y "icmp" -Tfields -e "data.text" | xxd -r -p | sed 's/SEx4IRV/\nSEx4IRV/g' > clear_icmp

These are the ICMP data extracted from a file.

Get data from HTTP

HTTP data are sent as POST data:

3_exfil_chall12.png Fig 2: HTTP hex encoded data

Same process as for ICMP:

▶ tshark -r exfil.pcap -Y "http" -Tfields -e urlencoded-form.value | xxd -r -p | sed 's/SEx4IRV/\nSEx4IRV/g'               

▶ tshark -r exfil.pcap -Y "http" -Tfields -e urlencoded-form.value | xxd -r -p | sed 's/SEx4IRV/\nSEx4IRV/g' > clear_http

Get data from DNS

The functioning of the DNS is a bit more different, because each request will be encoded in another.

▶ tshark -r exfil.pcap -Y "dns" -Tfields -e | cut -d'.' -f2 | xxd -r -p | sed 's/SEx4IRV/\nSEx4IRV/g'

▶ tshark -r exfil.pcap -Y "dns" -Tfields -e | cut -d'.' -f2 | xxd -r -p | sed 's/SEx4IRV/\nSEx4IRV/g' > clear_dns

Ordering each request

All requests must be put back in the right order. This is how DET works:

  1. File ID
  2. Packet number
  3. Data

This query construction is not valid for the first (REGISTER) and last (DONE) requests. To put all this in order, python will do it for us. I will put all the lines in a dictionary with the packet number as the key:

f = open('clear_data')
a =

final = ""
tmp = {}

for i in range(0,len(a)):
	tmp[int(a[i].split('.')[1])] = a[i].split('.')[2]

for j in range(0,len(tmp)):
	final = tmp[j]

g = open('result','wb')

Here is what we obtain:

▶ file result
result: ASCII text, with very long lines, with no line terminators

▶ cat result                    

▶ cat result | xxd -r -p > test

▶ file test    
test: gzip compressed data, last modified: Wed Feb 20 05:11:48 2019, from Unix, original size 10240

Remember the first question of the challenge is the type of compression used:

Flag 1: gzip

Now, let’s uncompress the archive and got the original file:

▶ mv test test.gz                                                             

▶ gzip -d test.gz            

▶ file test
test: POSIX tar archive (GNU)

▶ tar xvf test    
▶ file stuff
stuff: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, for GNU/Linux 3.2.0, BuildID[sha1]=e228bab316deed74b478d8f5bdef5d8c30bbd1b4, not stripped

And now, let’s validate the last flag:

Flag 2: stuff.elf