https://tryhackme.com/room/securityfootage

Room description: “Someone broke into our office last night, but they destroyed the hard drives with the security footage. Can you recover the footage?”

I’m on it!

Identify Protocol#

So the file I got is called security-footage-1648933966395.pcap, and it contains one single TCP connection performing a GET HTTP request to http://192.168.1.100:8081/:

After the client sent the request, the server responded with a stream of image files:

Extracting data#

I honestly don’t know how to properly extract this data. My idea was to make a program or script that would read the file and separate the pictures in separated files by using “–BoundaryString” as delimeter and then remove the leftover junks in chucks that I got. However, I wasn’t sure that would be the best option. I didn’t fully understand how to export the files from Wireshark, so I had to figure out something else.

My idea was to rely on binwalk3 to extract the pictures from the pcap data (since I assume they’re not encrypted nor encoded).

binwalk3 -a -e -M -C temp security-footage-1648933966395.pcap

I will report the arguments details from the binwalk3 help message:

  • -M, --matryoshka Recursively scan extracted files
  • -a, --search-all Search for all signatures at all offsets
  • -e, --extract Automatically extract known file types
  • -C, --directory <DIRECTORY> Extract files/folders to a custom directory [default: extractions]

This is the output:

Great! It looks like I extracted all the pictures inside the pcap file! Now onto the new issues:

  • Every extracted file is inside a folder
  • Every folder is named after the offset where the file was found at
  • The directory name is in hexadecimal, therefore not sortable in alphabetical order by any file manager or such.

Binwalk wasn’t designed for the task I just put it to. Nevertheless, this is infuriating.

What do we have to do?

  • Convert the hexadecimal names in decimal numbers for easy sorting
  • Move the files from inside the folder and assign its folder’s name as suffix to it’s filename (so from 92D/image.jpeg to 2349-image.jpeg)

Two simple steps I told myself before actually writing the code.

First of all, I used go to write this program. I could’ve done it in Python or Bash, though I wasn’t certain which approach was optimal: Bash is finicky, and Python can be slow. Also, it’s been a long time since I programmed in one of those two languages, so I went for the easiest option in that situation.

So, the code does the following:

  • Calls binwalk3 to extract the files
  • Converts the name of the folders that it creates in hex to integer and adds padding for the integer values (so 432 would be 000000432)
  • Renames the file inside the folder in the following way: 123456789-filename.extension So once they’ll be listed, they will be in alphabetical order!

The code for binwalker (yes, that’s how I’ve called the tool) can be found here: https://github.com/jackrendor/binwalker

Keep in mind that in order for it to work properly, either way you need to have binwalk3 installed or already have a folder that has been created by binwalk3.

Now I just open whatever file manager I am in and sort the files inside the folder in alphabetical order.

This is how the tool looks like:

asciicast

I hope you enjoyed following along and I wish you a happy day! c: