hacktracking: # WAP Challenge 14: HTTP Traffic File Carving

# WAP Challenge 14: HTTP Traffic File Carving

# url='http://videos.pentesteracademy.com.s3.amazonaws.com/videos/wap-challenges/http-forensics2.pcap'
# wget --quiet --output-document=http-forensics2.pcapng $url
# editcap -F libpcap -T ether http-forensics2.pcapng http-forensics2.pcap
# tshark -nr http-forensics2.pcap | grep octet
 15   9.678371 192.168.1.13 -> 67.159.60.66 HTTP 1155 POST /upload_fileapi.php?3529945644=0&file=0&startpos=0&r=0.5286034531386509 HTTP/1.1  (application/octet-stream)
 63  27.056300 192.168.1.13 -> 67.159.60.61 HTTP 1161 POST /upload_fileapi.php?7792025787=0&file=0&startpos=0&r=0.3998272621670734 HTTP/1.1  (application/octet-stream)
116  46.865880 192.168.1.13 -> 67.159.60.29 HTTP 1161 POST /upload_fileapi.php?4000038131=0&file=0&startpos=0&r=0.9503461291640495 HTTP/1.1  (application/octet-stream)
182  67.593167 192.168.1.13 -> 84.39.117.75 HTTP 1160 POST /upload_fileapi.php?5200689443=0&file=0&startpos=0&r=0.02202681328946554 HTTP/1.1  (application/octet-stream)
# cat solution.py
#!/usr/bin/python

import itertools
import scapy.all as scapy
import zipfile
import os 

pcap = scapy.rdpcap("http-forensics2.pcap")
zip = []

for frame in pcap:
    if 'octet-stream' in frame[scapy.Raw].load:
        zip.append(frame[scapy.Raw].load.split('\r\n')[-3])

i = 0

perms = itertools.permutations(zip, len(zip))
for p in perms:
 zfn = str(i) + '.zip'
 zf = open(zfn, 'wb')
 for ostream in p: 
  zf.write(ostream)
 zf.close()
 if zipfile.is_zipfile(zfn):
  try:
   zf = zipfile.ZipFile(zfn, 'r')
   zf.extractall()
   print zf.namelist()
   os.exit()
  except:
   os.remove(zfn)
   pass
  i += 1
# ./solution.py
['split-file/', 'split-file/pass']
# cat split-file/pass
12wsdqwe32109
# WAP Challenge 14: HTTP Traffic File Carving

No comments:
