Лаборатория TUCTF 2016 - The Nack [100]

delimitry
, 17 мая 2016

A pcapng file is given.

I've opened file and noticed that packets have some data after "GOAT" string.
More specifically the packets have 4 bytes of data after "GOAT\x01" prefix.
It is easy to understand that a GIF file was split and saved in such way.

I've used the next Python script to restore the GIF file:

fn = 'ce6e1a612a1da91648306ace0cf7151e6531abc9.pcapng'

with open(fn, 'rb') as f:
    data = f.read()

out = ''
while True:
    pos = data.find('GOAT')
    if pos < 0:
        break
    out += data[pos + 4 + 1:pos + 4 + 1 + 4]
    data = data[pos + 4:]

with open('out.gif', 'wb') as f:
    f.write(out)
   

A flag is hidden in the 17-th frame:

The flag is: TUCTF{this_transport_layer_is_a_syn}