ASIS-CTF Finals 2014 - Capsule (125pts) writeup

The challenge description was: Find the flag in [this] file.

I would like to mention that I wasted so much time on this one without any reason. It happens quite often when you play a CTF, you are looking for something while the flag is right under your nose.

Let's find out what this file is exactly:

mrt:~/asis/capsule$ file capsule_239acad5fcfe4722e624da66c9c02542
capsule_239acad5fcfe4722e624da66c9c02542: XZ compressed data

mrt:~/asis/capsule$ cp capsule_239acad5fcfe4722e624da66c9c02542 capsule.xz

mrt:~/asis/capsule$ unxz capsule.xz

mrt:~/asis/capsule$ ls
total 3328
drwxr-xr-x  8 mrt mrt    4096 Oct 13 12:51 .
drwxr-xr-x 16 mrt mrt    4096 Oct 13 02:15 ..
-rw-r--r--  1 mrt mrt 2875396 Oct 13 12:51 capsule
-rw-r--r--  1 mrt mrt  492056 Oct 11 12:18 capsule_239acad5fcfe4722e624da66c9c02542

mrt:~/asis/capsule$ file capsule
capsule: pcap-ng capture file - version 1.256

Seems like it's one of these new pcap format file. Let's try and open it in Wireshark 1.99 (dev release which supports this format).

Bummer.. it's not working. I don't even have an error message it just shows me the Open Capture File dialog again and again. Trying to convert it with editcap and libpcap yelded an unknown format as well. I also tried converting the file from pcapng to pcap online with the site pcapng.com and still no luck. Maybe the file is corrupted, or in a format version that even Wireshark and editcap cannot open.

Or the organisers corrupted the file on purpose.

Fortunately we have another pcap-ng file in another challenge (tictac), no need to create one ourself to see if the header has something odd in it:

mrt:~/asis/capsule$ file ../tictac/tictac
../tictac/tictac: pcap-ng capture file - version 1.0


mrt:~/asis/capsule$ xxd ../tictac/tictac | head
0000000: 0a0d 0d0a 8800 0000 4d3c 2b1a 0100 0000  ........M<+.....
0000010: ffff ffff ffff ffff 0300 2c00 4d61 6320  ..........,.Mac
0000020: 4f53 2058 2031 302e 392e 352c 2062 7569  OS X 10.9.5, bui
0000030: 6c64 2031 3346 3334 2028 4461 7277 696e  ld 13F34 (Darwin
0000040: 2031 332e 342e 3029 0400 3400 4475 6d70   13.4.0)..4.Dump
0000050: 6361 7020 312e 3132 2e31 2028 7631 2e31  cap 1.12.1 (v1.1
0000060: 322e 312d 302d 6730 3162 3635 6266 2066  2.1-0-g01b65bf f
0000070: 726f 6d20 6d61 7374 6572 2d31 2e31 3229  rom master-1.12)
0000080: 0000 0000 8800 0000 0100 0000 5800 0000  ............X...
0000090: 0100 0000 0000 0400 0200 0300 656e 3100  ............en1.

mrt:~/asis/capsule$ xxd capsule | head
0000000: 0a0d 0d0a 8800 0000 4d3c 2b1a 0100 0001  ........M<+.....
0000010: ffff ffff ffff ffff 0300 2c00 4c69 6e75  ..........,.Linu
0000020: 7820 4354 2033 2e31 392e 352c 2062 7569  x CT 3.19.5, bui
0000030: 6c64 2031 3346 3334 2028 4461 7277 696e  ld 13F34 (Darwin
0000040: 2031 332e 342e 3029 0400 3400 4475 6d70   13.4.0)..4.Dump
0000050: 6361 7020 312e 3130 2e37 2028 7631 2e31  cap 1.10.7 (v1.1
0000060: 302e 372d 302d 6736 6239 3331 6131 2066  0.7-0-g6b931a1 f
0000070: 726f 6d20 6d61 7374 6572 2d31 2e31 3029  rom master-1.10)
0000080: 0000 0000 8800 0000 0100 0001 5800 0000  ............X...
0000090: 0100 0000 ffff 0000 0200 0300 656e 3100  ............en1.

After patching our capsule pcapng on byte 0xF, 0x8B, 0x94, 0x95 with 0x0 we can successfully open our file now in Wireshark (yay!). After looking the traffic I noticed a lot of png/jpg/eps files with names such as ASIS_ flag_ etc.. So maybe running foremost could be an easy way to get data out of it. I had a couple results, 2 JPG (corrupted) and a false positive BMP file.

I tried scalpel which gave me pretty much the same results. I couldn't get proper data out of it. So I went and try bulk-extractor as well. (hey when you are willing to lose time without reason sometimes you go for it without thinking..). Great I can finally see one of the JPG clearly:

ASIS-CTF Finals 2014 - Capsule (125pts) writeup - 01

Well hello Mr. Zuckerberg but you are not helping. At this point I will save you the pain to describe when I manually extracted all data from the pcapng file including an EPS file, 2 JPG, 2 PNG (yay bitcoin logo!) and some other useless thing. I was definitely not looking where I should.

I should have fired Wireshark hours ago.. Running strings on the pcapng file will give a lot of results:

mrt:~/asis/capsule$ strings capsule | grep flag
translation-flags.jpg
translation-flags.png
translation-flags.jpg
translation-flags.png
translation-flags.jpg
translation-flags.png
flag.txt
flag.txt
...

mrt:~/asis/capsule$ strings capsule | grep ASIS_
ASIS_1.png
ASIS_CTF.png
ASIS_logo.png
ASIS_logo.svg
ASIS_1.png
ASIS_CTF.png
ASIS_logo.png
ASIS_logo.svg
ASIS_1.png
...

I still went with converting the pcapng file to pcap just to be sure my patch wouldn't mess with Wireshark:

mrt:~/asis/capsule$ editcap -F libpcap capsule capsule.pcap

So yes, it's really time to look at the traffic closely. The flag.txt data could be interesting actually, let's look for flag.txt in the bytes data inside the traffic in Wireshark (stable release this time), followed the stream and searched for flag.txt:

ASIS-CTF Finals 2014 - Capsule (125pts) writeup - 02

Keeping on searching for something good we end up here:

ASIS-CTF Finals 2014 - Capsule (125pts) writeup - 03

Looks like some ASCII art, could it be? AWw... after so many hours.. really? Let's copy/paste these bytes in a text editor:

ASIS-CTF Finals 2014 - Capsule (125pts) writeup - 04

We got our flag:

ASIS_318fe0b1c0dd4fa0a8dca43edace8b20