TryHackMe - Security Footage :: Jack Rendor's blog - Penetration Tester and Security Researcher

https://tryhackme.com/room/securityfootage

Room description: “Someone broke into our office last night, but they destroyed the hard drives with the security footage. Can you recover the footage?”

I’m on it!

Identify Protocol#

So the file I got is called security-footage-1648933966395.pcap, and it contains one single TCP connection performing a GET HTTP request to http://192.168.1.100:8081/:

After the client sent the request, the server responded with a stream of image files:

Extracting data#

I honestly don’t know how to properly extract this data. My idea was to make a program or script that would read the file and separate the pictures in separated files by using “–BoundaryString” as delimeter and then remove the leftover junks in chucks that I got. However, I wasn’t sure that would be the best option. I didn’t fully understand how to export the files from Wireshark, so I had to figure out something else.

My idea was to rely on binwalk3 to extract the pictures from the pcap data (since I assume they’re not encrypted nor encoded).

binwalk3 -a -e -M -C temp security-footage-1648933966395.pcap

I will report the arguments details from the binwalk3 help message:

-M, --matryoshka Recursively scan extracted files
-a, --search-all Search for all signatures at all offsets
-e, --extract Automatically extract known file types
-C, --directory <DIRECTORY> Extract files/folders to a custom directory [default: extractions]

This is the output:

Great! It looks like I extracted all the pictures inside the pcap file! Now onto the new issues:

Every extracted file is inside a folder
Every folder is named after the offset where the file was found at
The directory name is in hexadecimal, therefore not sortable in alphabetical order by any file manager or such.

Binwalk wasn’t designed for the task I just put it to. Nevertheless, this is infuriating.

What do we have to do?

Convert the hexadecimal names in decimal numbers for easy sorting
Move the files from inside the folder and assign its folder’s name as suffix to it’s filename (so from 92D/image.jpeg to 2349-image.jpeg)

Two simple steps I told myself before actually writing the code.

First of all, I used go to write this program. I could’ve done it in Python or Bash, though I wasn’t certain which approach was optimal: Bash is finicky, and Python can be slow. Also, it’s been a long time since I programmed in one of those two languages, so I went for the easiest option in that situation.

So, the code does the following:

Calls binwalk3 to extract the files
Converts the name of the folders that it creates in hex to integer and adds padding for the integer values (so 432 would be 000000432)
Renames the file inside the folder in the following way: 123456789-filename.extension So once they’ll be listed, they will be in alphabetical order!

The code for binwalker (yes, that’s how I’ve called the tool) can be found here: https://github.com/jackrendor/binwalker

Keep in mind that in order for it to work properly, either way you need to have binwalk3 installed or already have a folder that has been created by binwalk3.

Now I just open whatever file manager I am in and sort the files inside the folder in alphabetical order.

This is how the tool looks like:

I hope you enjoyed following along and I wish you a happy day! c: