TryHackMe - Security Footage
https://tryhackme.com/room/securityfootage
Room description: “Someone broke into our office last night, but they destroyed the hard drives with the security footage. Can you recover the footage?”
I’m on it!
Identify Protocol#
So the file I got is called security-footage-1648933966395.pcap
, and it contains one single TCP connection performing a GET HTTP request to http://192.168.1.100:8081/:
After the client sent the request, the server responded with a stream of image files:
Extracting data#
I honestly don’t know how to properly extract this data. My idea was to make a program or script that would read the file and separate the pictures in separated files by using “–BoundaryString” as delimeter and then remove the leftover junks in chucks that I got. However, I wasn’t sure that would be the best option. I didn’t fully understand how to export the files from Wireshark, so I had to figure out something else.
My idea was to rely on binwalk3
to extract the pictures from the pcap data (since I assume they’re not encrypted nor encoded).
binwalk3 -a -e -M -C temp security-footage-1648933966395.pcap
I will report the arguments details from the binwalk3 help message:
-M, --matryoshka Recursively scan extracted files
-a, --search-all Search for all signatures at all offsets
-e, --extract Automatically extract known file types
-C, --directory <DIRECTORY> Extract files/folders to a custom directory [default: extractions]
This is the output:
Great! It looks like I extracted all the pictures inside the pcap file! Now onto the new issues:
- Every extracted file is inside a folder
- Every folder is named after the offset where the file was found at
- The directory name is in hexadecimal, therefore not sortable in alphabetical order by any file manager or such.
Binwalk wasn’t designed for the task I just put it to. Nevertheless, this is infuriating.
What do we have to do?
- Convert the hexadecimal names in decimal numbers for easy sorting
- Move the files from inside the folder and assign its folder’s name as suffix to it’s filename (so from
92D/image.jpeg
to2349-image.jpeg
)
Two simple steps I told myself before actually writing the code.
First of all, I used go
to write this program. I could’ve done it in Python or Bash, though I wasn’t certain which approach was optimal: Bash is finicky, and Python can be slow.
Also, it’s been a long time since I programmed in one of those two languages, so I went for the easiest option in that situation.
So, the code does the following:
- Calls
binwalk3
to extract the files - Converts the name of the folders that it creates in hex to integer and adds padding for the integer values (so
432
would be000000432
) - Renames the file inside the folder in the following way:
123456789-filename.extension
So once they’ll be listed, they will be in alphabetical order!
The code for binwalker
(yes, that’s how I’ve called the tool) can be found here: https://github.com/jackrendor/binwalker
Keep in mind that in order for it to work properly, either way you need to have binwalk3
installed or already have a folder that has been created by binwalk3
.
Now I just open whatever file manager I am in and sort the files inside the folder in alphabetical order.
This is how the tool looks like:
I hope you enjoyed following along and I wish you a happy day! c: