We didn't end up solving this during the competition, but I thought it would be nice to show the challenge and share the process we went through in finding the flag.
It starts with a pcap file which contains many similar packets (parts of the stream). After sorting by length and following the TCP stream of one, we find some interesting header content.
Notably we find the "User-Agent" as NSPlayer, "Content-Type" as "application/x-mms-framed", and in the bytes it shows that it's a "Windows Media Video" (WMV) format.
Now the tricky part is figuring out how we can play this content. We can save the binary data to a file in Wireshark pressing 'Save As' and editing the header out (Also useful to filter out the conversation by the part we care about in the dropdown menu which defaults to Entire Conversation).
After some research it looked like we could just push the data over a server, and use VLC to interpret it as an MMS stream. Here's a simple guide for OSX users on how to open MMS streams in VLC - http://elearning.etsu.edu/macmmsguide/index.html
The question is, what does our server need to look like?
Apparently not much.
This was done with very little effort and seemed to work fine (simple Node.js server):
Apparently not much.
This was done with very little effort and seemed to work fine (simple Node.js server):
m=require; m('http').createServer(function(_, r) {r.end(m('fs').readFileSync("extracted"))}).listen(4444);
Where "extracted" is the binary file we formed from the stream.Now All we had to do is view the result in VLC: after launching VLC, you can go to File > Open Network, and give it a url. In this case we're hosting it locally, so we just point it to mms://localhost:4444 (important to use the mms protocol in this situation)
When playing it we get an initial frame of Rainbow Colors!
Then more of what we're looking for, in a classic MS PAint window ;)
The Final Flag Being:
MMA{windows_xp_is_too_old_to_create_problem!!}
