247CTF - Follow the Sequence

Posted on In Views: Disqus: Word count in article: 141 Reading time ≈ 1 mins.

Multi-path TCP (MPTCP) challenge: data is spread across multiple subflows. Task is to combine the requests and recover the flag.

Approach

  1. Merge PCAP files - Combine three MPTCP flow captures
  2. Extract TCP streams - Reconstruct the data from merged flows
  3. Analyze extracted data - Look for embedded archives and artifacts
  4. Extract and inspect - Check for flag in extracted files

Solution Steps

1
2
3
4
5
6
7
8
9
10
11
# 1. Merge the three PCAP files
mergecap -w merged_chall.pcap chall-i1.pcap chall-i2.pcap chall-i3.pcap

# 2. Extract TCP flows
tcpflow -r merged_chall.pcap -o ./output_dir

# 3. Concatenate flow streams
cat a b c > a

# 4. Extract embedded archive with binwalk
binwalk -eM a

Key Findings

  • Identified ZIP archive at offset 0x78145B containing 11 files
  • Extracted files include multiple JPEGs: Flag.jpg, Here.jpg, Is.jpg, NOT_A_FLAG.jpg
  • Flag is embedded in one of the extracted images
247CTF{850bb436f0eecad0205eebb6c9b7b6c6}