Tuesday, December 2, 2014

Kaizen - Crypto #2 (decrypt a hidden message from a pcap file)

File: crypto-2.zip

Here's the problem text for Crypto #2:

Acid Burn often uses FTP to transfer files. Extract the image from the pcap. Use Acid Burn's ftp (not Telnet) password to unlock the hidden message in the image

The zip archive contains a pcap file, so I opened it up in Wireshark to take look around.

Right off the bat, you can see the FTP password being transmitted in cleartext:

We'll save this for later.

Looking through the pcap file, it looks like two files are transferred: dinosaur.jpg and steghide_manual.txt.

We can guess the steghide manual page is a clue that the steganography is performed with the steghide tool, so now we just need to extract the JPG file that was transferred across the line.

Using the "Follow TCP Stream" tool after right-clicking on the TCP connection that gets spawned immediately following the FTP Request, we can isolate just the bytes that corrospond to the dinosaur.jpg file.

Once we do this, we can choose "Save As" and save the bytes as a jpg file.

Using the FTP password from before with the steghide tool, we can decrypt the hidden message, "CRASHANDBURN"!

No comments:

Post a Comment