Welcome back on Exploitnetworking! Puppetmatryoshka was a misc challenge of SECT CTF 2018 where it was necessary inspect a pcap file.
First step is open that file with Wireshark, and we can see that there are three packets of kismet protocol. The data of these packets init with BZh91AY&SY, that is bz2 header:

Now we can extract and save the data in a file for decompress it, then select first the second packet (because it has a larger size than the others), click on “Analize->Follow->TCP Flow”. Now select “Raw” and save it on a file:
Ok now we have a bz2 file, try now to extract all files for examine:
pk2 is a filesystem file, try to mount it:
Ok, in this filesystem there is a 7-zip file, try now to extract the content:
in this archive there is a file txt with base64. Try now to decode the content:
Now we have a OpenDocument file. Try to open it with Libreoffice:

How we can see, there is a invalid sign, try to open:

- Interesting book on Wireshark: https://amzn.to/2CW9Vn4
Leave A Comment