ASIS2014: Forensic 150 - Forensic
This challenge was rather simple. Here we had a tcpdump capture file with a lot of different http-requests. A few of them were directed to 172.16.33.144:8010, including a GET request for “myfile”.
After extracting the file it turned out that it is another pcap file with some too long packets - making it impossible to be opened by wireshark or tcpdump. Fortunately, there are existing tools to automatically fix capture files, we used the online version of pcapfix (http://f00l.de/hacking/pcapfix.php).
A few looks showed that there where a lot of communication with a printer going on, including tcp-streams transferring postscript files. So, easy going: we just extracted all postscript files from their tcp-streams and looked at them. They all contained text created with figlet (http://www.figlet.org/). More specifically, the visible content of the printed file were:
2.gs: Do you know about figlet? FIGlet is a program for making large letters out of ordinary text.
And yes, that’s the flag!