The Lost Award


Commander Keen and B.J. Blazkowicz are trying to bring back some lost award plate. any chance you can help?

A PCAP file was attached.


The attached file contains a network capture which mainly involves SMB traffic.

The most interesting part of the capture is writing a file called BSidesTLV.manipulated_smb.pcapng in several chunks.

However, not all of the chunks were available (some TCP packets weren't captured), and the full file could not be reconstructed from the current data.

From what was available, it was apparent that the new file was a PCAP file as well, and perhaps it contained another PCAP file and so on. Deep down, base64 encoded data was being transferred. For example, the tail of one of the chunks:

Let's take a base64 string and start working on it.

We start with:

Decode it:

This is base32 (all uppercase letters, and equal signs at the end). Decode that:

This looks like a hex stream. What is the meaning?

Doesn't look good.

This is the time to mention that most if not all base64 strings had a common prefix:

This means that the also had a common prefix after base32 decode: A0D0

A0D0 doesn't really mean anything, but it looks familiar. We're used to seeing 0D0A at the end of the line, a.k.a. \r\n. What if we reverse the string and then decode as ASCII?

Now we're getting somewhere!

Searching Google for g1 x y e, we get many results about 3D printing. This is a 3D printing format: G-Code!

We can perform a best-effort extraction of the strings, ignoring the fact that this is a network capture, using the following one-liner bash snippet:

For example, the head of the output would be:

We save the output to a file, and perform another pass with cat 3d.gcode | egrep "^G" > 3d_clean.gcode as a best effort to filter out any junk that might have been added while decoding the different levels.

Then, we can upload the file to a GCode decoder and inspect it.

At first we see something like this:

After zooming it, it's possible to start seeing a vague representation of a flag:

You might be able to see w3 in the middle of the model.

If we start removing lines from the file, we get a clearer image:

After a few permutations, the flag can be extracted: BSidesTLV{[email protected]_n0w!}