mirror of
https://github.com/dirtbags/moth.git
synced 2025-01-08 04:51:06 -07:00
122 lines
2.9 KiB
Text
122 lines
2.9 KiB
Text
|
archaeology
|
||
|
===========
|
||
|
|
||
|
This is the network archaeology category. Puzzles center around pulling
|
||
|
something out of a pcap file.
|
||
|
|
||
|
* Base64-encoded plaintext
|
||
|
|
||
|
* Image in pcap of HTTP
|
||
|
* Image in pcap of SMTP
|
||
|
* Image in pcap of proto b
|
||
|
* Image in pcap of out-of-order proto b
|
||
|
* Image in pcap of out-of-order w/NAK proto b
|
||
|
|
||
|
* Base64-encoded single-byte xor
|
||
|
* Base64-encoded 4-byte xor
|
||
|
* Base64-encoded 16-byte xor
|
||
|
|
||
|
* Image in pcap of 1-byte xor out-of-order w/NAK w/filler proto c
|
||
|
* Image in pcap of proto d, plus a token in the text
|
||
|
* Image in pcap of proto e, token in the text, and token in zip file
|
||
|
|
||
|
|
||
|
proto b
|
||
|
-------
|
||
|
|
||
|
01 1 octet SOH
|
||
|
xxxx 2 octets chunk number (monotonically increasing)
|
||
|
xx 1 octet chunk length
|
||
|
... <256 octets up to 255 bytes of data
|
||
|
xx 1 octet checksum (uint8 sum of all data bytes)
|
||
|
|
||
|
06 1 octet ACK
|
||
|
xxxx 2 octets chunk number
|
||
|
00 1 octet length 0
|
||
|
|
||
|
15 1 octet NAK
|
||
|
xxxx 2 octets chunk number
|
||
|
00 1 octet length 0
|
||
|
|
||
|
04 1 octet EOT
|
||
|
xxxx 2 octets chunk number
|
||
|
00 1 octet length 0
|
||
|
|
||
|
|
||
|
frob
|
||
|
----
|
||
|
|
||
|
* srand(0)
|
||
|
* xor each octet with rand() % argv[1]
|
||
|
|
||
|
|
||
|
proto c
|
||
|
-------
|
||
|
|
||
|
all packets are xored with a per-session randomly-selected key
|
||
|
|
||
|
offs len description
|
||
|
---- ---- -----------
|
||
|
00 2 c0 0c
|
||
|
02 2 packet length
|
||
|
04 1 opcode
|
||
|
05 1 00
|
||
|
06 data
|
||
|
|
||
|
opcode desc data
|
||
|
------ ---- ---------
|
||
|
01 Hello hostname(cstring), 60 bytes random
|
||
|
02 NOP ∅
|
||
|
04 Text Alice in Wonderland
|
||
|
05 Image part# (2 octets) + data
|
||
|
|
||
|
|
||
|
proto d
|
||
|
-------
|
||
|
|
||
|
all packets are xored with a per-packet randomly-selected key
|
||
|
|
||
|
offs len description
|
||
|
---- ---- -----------
|
||
|
00 1 00
|
||
|
01 1 opcode
|
||
|
02 2 packet length
|
||
|
04 2 sequence number
|
||
|
06 data
|
||
|
|
||
|
opcode desc data
|
||
|
------ ---- ---------
|
||
|
01 Hello hostname(cstring), 60 bytes random
|
||
|
02 NOP ∅
|
||
|
04 Text Alice in Wonderland
|
||
|
05 Image data
|
||
|
|
||
|
|
||
|
proto e
|
||
|
-------
|
||
|
|
||
|
16-byte xor key, applied to entire packet
|
||
|
|
||
|
offs len description
|
||
|
---- ---- -----------
|
||
|
00 1 opcode
|
||
|
01 1 compression type (0=none, 1=gzip)
|
||
|
02 2 packet length
|
||
|
04 2 sequence number
|
||
|
06 data
|
||
|
|
||
|
opcode desc data
|
||
|
------ ---- ---------
|
||
|
01 Hello hostname(cstring), 60 bytes random
|
||
|
02 C2 interactive shell
|
||
|
04 fopen 1:mode (0=read, 1=write)
|
||
|
1:fd
|
||
|
n:path
|
||
|
05 write 1:fd
|
||
|
4:offset
|
||
|
n:data
|
||
|
06 fclose 1:fd
|
||
|
08 NOP ∅
|
||
|
|
||
|
|