Phreaky

Personal Rating: Easy

We have a pcap file

I identified tcp stream 0 to include just a ubuntu update, so I filtered it out with tcp.stream ne 0

What remains is mostly SMTP packets in several streams

Password: S3W8yzixNoL8

Following one of the streams we find a zip file as it seems

There were 15 streams. I copied all of the relevant data to a text file and cleaned it up like so:

Then I wrote a python and sh script that handles the base64 and passwords etc. finally concatenate them to the finished pdf file:

decoder.py

import base64
import os
from zipfile import ZipFile
# Format: Password1,zipname1,b64_1,Password2,zipname2,b64_2 ...

# open the file with the content
mainarray = []
with open('zipstreams') as z:
    for line in z:
        line = line.replace('\n','')
        mainarray.append(line)

c = 0

while c < 45:
    # decode base64
    a = base64.b64decode(mainarray[c+2])

    # write to zipfile
    name = str(c+1)+".zip"
    with open(name,"wb") as file:
        file.write(a)

    # extract the zipfile
    with ZipFile(name,"r") as zip:
        zip.extractall(path="./", pwd=mainarray[c].encode("utf-8"))

    c += 3

import subprocess
    subprocess.run(["./concat.sh"])

concat.sh

for i in {1..15};do cat phreaks_plan.pdf.part$i >> final.pdf;done

The final PDF contained the flag.

HTB{Th3Phr3aksReadyT0Att4ck}