Tryhackme Security Footage
https://tryhackme.com/room/securityfootage
Room description: “Someone broke into our office last night, but they destroyed the hard drives with the security footage. Can you recover the footage?”
I’m on it!
Identify Protocol#
So the file that I got is called security-footage-1648933966395.pcap
, and the content of it just looks like a simple TCP connection where a host requests a file via HTTP to http://192.168.1.100:8081/:
After the client sends the request, the server responds periodically with image files:
Extracting data#
I honestly don’t know how to extract this data. My idea was to read the file raw and separate the capture by using “–BoundaryString” as delimeter and then slim the rest. But I wasn’t sure that this would’ve worked for other scenarios. I didn’t fully understand how to export the files from Wireshark, so I had to figure out something else.
My idea was to try binwalk
and extract the pictures from the pcap data (since I assume they’re not encrypted nor encoded).
binwalk3 -a -e -M -C temp security-footage-1648933966395.pcap
I will report the arguments details from the binwalk3 help message:
-M, --matryoshka Recursively scan extracted files
-a, --search-all Search for all signatures at all offsets
-e, --extract Automatically extract known file types
-C, --directory <DIRECTORY> Extract files/folders to a custom directory [default: extractions]
The output will look like this:
Great! It looks like I have all the pictures extracted! Now onto the new issues:
- Every extracted file it’s inside a folder
- Every folder is named after the offset where the file was found
- The filename is in hexadecimal, therefore not sorted in alphabetical order
Binwalk was not designed to do what I just make it do. Never the less, this is infuriating.
What do we have to do?
- Convert the hexadecimal names in decimal numbers for easy sorting
- Remove the files inside the folder and assign its folder’s name as suffix to it’s filename (so from
92D/image.jpeg
to2349-image.jpeg
)
Two simple steps I said before actually write the code.
First of all, I used go
to write this code. I could’ve make it with Python or Bash but I wasn’t sure what the best approach would’ve been, since Bash can be tricky and Python can be slow.
Also, it’s been a long time since I programmed in one of those two languages, so for now I went for the easiest option for me
So, the code does the following:
- Calls
binwalk3
to extract the files - Converts the name of the folders that it creates in hex to integer and adds padding for the integer values (so
432
would be000000432
) - Renames the file inside the folder in the following way:
123456789-filename.extension
So once they’ll be listed, they will be in alphabetical order!
The code for binwalker
can be found here: https://github.com/jackrendor/binwalker
Keep in mind that in order for it to work properly, either way you need to have binwalk3
installed or already have a folder that has been created by binwalk3
.
Now I just open whatever file manager I am in and sort the files inside the folder in alphabetical order.
This is how the tool looks like: