https://tryhackme.com/room/securityfootage

Room description: “Someone broke into our office last night, but they destroyed the hard drives with the security footage. Can you recover the footage?”

I’m on it!

Identify Protocol#

So the file that I got is called security-footage-1648933966395.pcap, and the content of it just looks like a simple TCP connection where a host requests a file via HTTP to http://192.168.1.100:8081/:

After the client sends the request, the server responds periodically with image files:

Extracting data#

I honestly don’t know how to extract this data. My idea was to read the file raw and separate the capture by using “–BoundaryString” as delimeter and then slim the rest. But I wasn’t sure that this would’ve worked for other scenarios. I didn’t fully understand how to export the files from Wireshark, so I had to figure out something else.

My idea was to try binwalk and extract the pictures from the pcap data (since I assume they’re not encrypted nor encoded).

binwalk3 -a -e -M -C temp security-footage-1648933966395.pcap

I will report the arguments details from the binwalk3 help message:

  • -M, --matryoshka Recursively scan extracted files
  • -a, --search-all Search for all signatures at all offsets
  • -e, --extract Automatically extract known file types
  • -C, --directory <DIRECTORY> Extract files/folders to a custom directory [default: extractions]

The output will look like this:

Great! It looks like I have all the pictures extracted! Now onto the new issues:

  • Every extracted file it’s inside a folder
  • Every folder is named after the offset where the file was found
  • The filename is in hexadecimal, therefore not sorted in alphabetical order

Binwalk was not designed to do what I just make it do. Never the less, this is infuriating.

What do we have to do?

  • Convert the hexadecimal names in decimal numbers for easy sorting
  • Remove the files inside the folder and assign its folder’s name as suffix to it’s filename (so from 92D/image.jpeg to 2349-image.jpeg)

Two simple steps I said before actually write the code.

First of all, I used go to write this code. I could’ve make it with Python or Bash but I wasn’t sure what the best approach would’ve been, since Bash can be tricky and Python can be slow. Also, it’s been a long time since I programmed in one of those two languages, so for now I went for the easiest option for me

So, the code does the following:

  • Calls binwalk3 to extract the files
  • Converts the name of the folders that it creates in hex to integer and adds padding for the integer values (so 432 would be 000000432)
  • Renames the file inside the folder in the following way: 123456789-filename.extension So once they’ll be listed, they will be in alphabetical order!

The code for binwalker can be found here: https://github.com/jackrendor/binwalker

Keep in mind that in order for it to work properly, either way you need to have binwalk3 installed or already have a folder that has been created by binwalk3.

Now I just open whatever file manager I am in and sort the files inside the folder in alphabetical order.

This is how the tool looks like:

asciicast