John Pierce

. CISSP, SLAE, Security+

Challenge 14 - Reassemble multi-part file from pcap to retrieve password

I got this one done a couple of ways.  I tried tcpxtract but got a segmentation fault before the zip files were recovered, so I didn't pursue that at all.  Instead, I went back to manual analysis and extraction.  There was a lot of noise in the file other than the few packets of interest.  I started by loading the pcap up in wireshark and searching for 'pass' in the packet data and came up with a couple, both of them POST requests with "split-file/pass" in the body.  That led me to set a filter to only show POST requests.  There were 8 of them, four with part of a media file and another 4 with Line-based text data.  The following shows one of the media file packets with the media portion highlighted.  The first way I solved the challenge was to notice the string in this packet, unlike any of the other packets, and try using it.  That worked, but it isn't very elegant.

Figure 1

Back to reviewing the pcap file and looking at the Line-based text data, I noticed that each of them had "name" data starting with "xa" and ending in a, b, c, and d.  

I already knew it was a multi-part file from the "split-file/" hint in the media files.  These bits of "name" data give the order to reassemble the file.  So, in the first pcap screen capture above, the media is highlighted.  All I need to do is press <ctrl>h to save that data as binary in a file. I named it part182 based on the packet number, but it would have been easier to call it "xaa" so I didn't have to take notes.  Did the same to the others, catted the files together, unzipped them and retrieved the password.  

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging

Videos

Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.