Puppetmatryoshka6 min read

Welcome back on Exploitnetworking! Puppetmatryoshka was a misc challenge of SECT CTF 2018 where it was necessary inspect a pcap file.

First step is open that file with Wireshark, and we can see that there are three packets of kismet protocol. The data of these packets init with BZh91AY&SY, that is bz2 header:

Now we can extract and save the data in a file for decompress it, then select first the second packet (because it has a larger size than the others), click on “Analize->Follow->TCP Flow”. Now select “Raw” and save it on a file:

Ok now we have a bz2 file, try now to extract all files for examine:

Copy to Clipboard

pk2 is a filesystem file, try to mount it:

Copy to Clipboard

Ok, in this filesystem there is a 7-zip file, try now to extract the content:

Copy to Clipboard

in this archive there is a file txt with base64. Try now to decode the content:

Copy to Clipboard

Now we have a OpenDocument file. Try to open it with Libreoffice:

How we can see, there is a invalid sign, try to open:

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept

About the Author:

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.