Forensics [100 pts]
Description: We got hacked! Can you see what they took?
We are given a pcap file, when analyzing it, we see that it is full of ICMP information. Looking at the first packet, we see that it is the beginning of a PNG header:
The last packet also contains an IEND, which marks the end of a PNG file. So it looks like they are sending parts of a PNG for each packet. The only issue is that we have to parse and filter our data to capture the correct bytes.
Since the requests and replies are the same, using tshark to extract the unique data sections of the pcap, we can get a better picture for the png.
Our goal is to grab the correct position to get a valid picture, so using a valid png, we use this as a guide to get the correct bytes:
Grabbing the correct first line from the pcap data and iterating down to the end, we are able to form a png that gives us a flag:
Perhaps I could’ve parsed it better..but it is still readable.