ASIS CTF 2015 Quals WriteUp: Broken Heart

Hey! The qualifiers for Asis CTF 2015 just ended. The following is a network forensics writeup. We are given a pcap file, called myheart.pcap, that contains several broken http transfers, however all of these are incomplete parts of the file. You can tell from the http streams that we have to collect all of the pieces of the heart file, as well as find the first 13 missing bytes.

After collecting all of our pieces (by carving the data out of each http transfer and naming them after their [Byte]Content-Range), we begin assembling the bytes, which is trickier than it first seems as the byte patterns over lap one another. This was taken care of using Hex Fiend by copying out an entire byte group and pasting it into a collective file, at it's specified offset, in overwrite mode.

The missing 13 header bytes are the PNG file header bytes, which you can tell from the IEND and other various PNG magic bytes throughout the file. Taking a look at it in Synalyze It! Pro we can see more of the PNG grammar.

Putting that in place and changing the file extension we get our flag :)