8

I am doing a CTF flag for my school project with a PCAP flag based on this CTF write-up: eindbazen.net - Plaid CTF 2012 - Torrent

I setup a local torrent file containing an .mp3 (the audio is my flag's key) that is shared between two laptops. I followed the exact same steps as found in the write-up above using Tshark and a Python script, and managed to follow-through the same procedure.

However, the final .mp3 output after reconstruction became 1KB bigger (most values different from original when viewed in WinHex), and the audio became jumbled up. I also tried using a .zip file as my torrent file and although 7zip recognizes the folder and correctly displays the original files inside, the .zip folder also got around 35KB larger. When attempting to extract the files inside, 7zip complains of "an attempt was made to move the file pointer" and/or "unsupported compression method for xxx.mp3"

I suspect the Python script may be responsible for causing the hex values to change and "corrupt" the files upon reconstructing it from the PCAP. However, I am a total newbie to Python as my school covers only the very basics of Python scripting and I don't know how the script logic in the CTF write-up works.

Below is the script from the write-up which I used:

pieces = {}

for line in open('bomb'):
    line = line.strip()

    idx, data = line.split('\t')
    data = data.replace(':','').decode('hex')

    try:
        pieces[idx] += data
    except KeyError:
        pieces[idx] = data

pieces = sorted([(int(p[0], 16), p[1]) for p in pieces.items()])

data = ''.join([p[1] for p in pieces])
open('bomber.out', 'w').write(data)

I would appreciate if anyone could guide/explain to me what I am missing out in properly reconstructing the bittorrent data from the PCAP (using Windows).

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Captain Slow
  • 83
  • 1
  • 3

1 Answers1

2

When writing binary output data try instead using

  open('bomber.out', 'wb').write(data)

I can't verify if this will help but it might be worth a try.

  • Wow, I didn't know such a simple command could totally change the output! I am now able to extract the data out with all values intact. Thank you for pointing that out! – Captain Slow May 02 '13 at 08:35