Misc

Challenge

Link

Lost Some Magic (92 pts)

Description

Our SOC analysts saw some strange DNS traffic. Wanted you to figure out what was exfiltated , can you check it and sum it up ?

Solution

Given file with unknown type, lets check the contents.

There is no extension with header signature 4200. Based on the description it should be kind of compression so lets try to check another compressed file.

bz2 header looks similar with 2 bytes value nulled. So rewrite those null bytes to 5a68 and do bz2 decompress.

Okay, lets check the next part.

Looks like it similar with tar archive, tar doesn't compress the value. So just take directly the value from xxd.

f = open("data2.tar", "rb").read()
data = bytes.fromhex("8b08086e37c4650003666c6167")
index = f.index(data)
val = f[index:index+73]

g = open("data3", "wb")
g.write(val)

Looks like data3 is gz archive with removed header and trailer. Lets add header and trailer and try to decompress it.

f = open("data2.tar", "rb").read()
data = bytes.fromhex("8b08086e37c4650003666c6167")
index = f.index(data)
val = f[index:index+73]
new_val = b"\x1f" + val + b"\x00" * 3

g = open("data3.gz", "wb")
g.write(new_val)

Flag: swampCTF{C0113ct1ng_th3_mag1c_number5}

PreviousReverse Engineering NextCryptography

Last updated 8 months ago