Hidden Doubled Image in packet pcap icmp
get mass of icmp packet. extract the all data of the icmp packet using this command :
tshark -r packet.pcap -Y "icmp" -Tfields -e data > data_pcap_hex_sus.sus
Because the data seems look like hex. i asssume it is hex. so the file will be data_pcap_hex_sus
When i decode the hex in cyberchef. it looks like :
It seems the header call 2 times.
we filter the odd and the even of the packet because it scrambled. ( requests in ) ( reply in )
Filter:
from scapy.all import *
from binascii import *
scapy_cap = rdpcap('./packet.pcap')
with open('outputpcap', 'wb') as f:
for i,packet in enumerate(scapy_cap):
if "ICMP" in packet:
if i%2==1:
i assume this multiple file of png.
->89504e470d0a<-1a0a0000000d49484452->89504e470d0a<-1a0a0000000d4948445289504e470d0a1a0a
but the printing print 2 times of the signatures of png. Based on : https://en.wikipedia.org/wiki/List_of_file_signatures
We know signatures png is : 89 50 4E 47 0D 0A 1A 0A
so we will extract the correct hex that will be :
89504e470d0a1a0a0000000d49484452
Before it was :
89504e470d0a1a0a0000000d4948445289504e470d0a1a0a0000000d4948445289504e470d0a1a0a
so we know we extract 32 character for each line.
since we dont know the attachment is in requests or in reply icmp, we split out the response get_1 and get_2.
solver :
from scapy.all import *
from binascii import *
packet_get_1 = ""
packet_get_2 = ""
scapy_cap = rdpcap('./packet.pcap')
with open('outputpcap', 'wb') as f:
for i,packet in enumerate(scapy_cap):
if "ICMP" in packet:
if i%2==1:
packet_get_2 += hexlify(packet[Raw].load[16:32]).decode()
else:
packet_get_1 += hexlify(packet[Raw].load[16:32]).decode()
open('packet1','a').write(packet_get_1)
open('packet2','a').write(packet_get_2)
after that we make it to binary
xxd -r -p packet1 image1
after that binwalk
binwalk -e image1 -D=".*"
we can :
see the flag. netcomp{sending_file_through_icmp}