Launching wireshark, I sort by the length column to check the largest packets captured.
Looks like there's a zip that was transfered, this is probably what we need to extract, also looks like it's in multiple chunks ('splitted').
After naively doing a "Follow TCP Stream" and exporting the data, I realized the segments were in the wrong order. Notably the "PK" bytes were in the middle, which are part of the magic bytes for a zip file. Now we need to figure out how to arrange it correctly. The intuition of where to find this data came from a friend on the team - http://lockboxx.blogspot.com/
On a past challenge he had mentioned there are parts of the packet describing the order in which streams constructed. Looking a little further I found the "Content-Range" attribute needed to reconstruct the original file.
By the way, if anyone knows of a nice way in python to pull the "Content-Range" section out of the HTTP headers, please leave a comment below, I would love to know!
In this example, we're looking at the 2nd packet in the chain of total split packets. It shows the Content-Range is 269-937. Now we just need to export each data portion of the packet to a file. We'll start by copying the hex representations to a python file and export the zip this way.
By right-clicking on the field underneath "Media Type" we can go to Copy > Bytes > Hex Stream, which will be the representation of bytes in the payload section of this packet only ( A lot nicer than trimming down the header section of each packet ).
Following the "Content-Range" attribute for each packet, we assemble a python file that will export the zip file contained within the capture:
Now we can extract it with unzip, and check what's inside!
Looks like we have a file called flag.psd.
Let's open that up in gimp and see what we've got.
Looks like we've got a blank canvas! But there's another layer in the psd. Turning off the first layer, or swapping the layers seems to do the trick.
