ISSessions CTF 2021 PlainTextProtocols

· 1 min read
ctf writeup forensics pcap

Recovering a flag from a PCAP by fixing corrupted PNG header bytes extracted from an HTTP response.

PlainTextProtocols

PCAP, but that GET request seems a bit off…

Solution

The request to /flag returned raw hex data. Exporting it from Wireshark gave me a file that wasn’t recognized right off the bat.

After putting it into HxD, I noticed that it had most of the header of a PNG file. With the first two bytes being incorrect.

1E 11 4E 47

vs the correct PNG header:

89 50 4E 47

Fixing those bytes made a valid PNG, with the flag of FLAG{0f979c96e7}

← Back to all posts