We were provided with a pcap capture. The capture has mostly HTTP traffic, which seems to be the transfer of a file named key.7z. The HTTP client, which is Python’s urllib, requests the file in very small chunks, using the “Range: bytes=xx-yy” header.
To make things more complicated, the HTTP client requests the byte ranges without any particular order, and it also requests overlapping ranges. These details make it harder to extract the key.7z file from the pcap capture.
So I applied the following filter in Wireshark, in order to show just the HTTP responses from the server:
http && ip.src == 126.96.36.199
We were provided with a bin.bin file, which size is 512 bytes. Doing $ file bin.bin shows us that the file is a boot sector.
In order to run the boot sector I’ve followed an article from the developers of MikeOS (Note that I’ve linked to the Google Cache copy since the original site appears to be down).
So I downloaded a floppy disk image, renamed it to floppy.flp, and then I copied the boot sector of this challenge to the floppy disk image:
$ dd status=noxfer conv=notrunc if=bin.bin of=floppy.flp
Then I started QEMU using the floppy disk image containing the CTF boot sector:
$ qemu-system-i386 -fda floppy.img
QEMU boots from our floppy disk image, and the boot sector asks for a password:
ForbiddenBITS CTF 2013 – Invisible 150
We were provided with an HTML page having this content:
Ok, WordPress screwed it. It’s just a bunch of whitespaces and tabs. It’s a program written in the Whitespace esotheric language.