Using tshark to export the HTTP data:
$ tshark -r packet-dada.pcap -Y http -V > http.txt
Inside http.txt we see:
GET /flag HTTP/1.1
Host: challenge.xforce.local
X-XFORCE-Key: SECRET_FOARD_FOKEY
So the packet is simulating a request to a remote service that would return the flag if the correct key is supplied.
Since we cannot contact the remote service, the challenge creators embedded the response in the same packet as an HTTP response following the request (a “full duplex” capture). Indeed, after the request there is a second TCP segment with:
HTTP/1.1 200 OK
Content-Type: text/plain
XFORCEp4ck37_15_4n_1llu5i0n
The response is clearly present in the packet capture.
Challenge: Adobe Illustrator CC 2014 – X‑FORCE – packet‑dada
Category: Reverse Engineering / Forensics
Points: 450
Author: X‑FORCE (Team)
Adobe has strengthened licensing protocols, transitioning to online account-based activation. While crackers like X-Force aimed to exploit these systems, Adobe counters with:
PDF files store binary data in streams. Listing all streams with pdf-parser.py (part of pdf-tools) reveals a large stream that does not start with “/FlateDecode”.
$ pdf-parser.py -s extracted.pdf
...
obj 8 0
<< /Length 1526 /Filter /FlateDecode >>
stream
xœ... (binary)
The stream is compressed with Flate (zlib) – standard for PDF. Decompress it:
$ pdf-parser.py -object 8 -raw extracted.pdf > stream8.bin
$ zcat stream8.bin > payload.bin
payload.bin is 1 152 bytes long. The first few bytes:
\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x00\x45\x00...
The pattern 45 00 (0x45) is the start of an IPv4 header (0x45 = version 4, IHL 5).
