PicoCTF 2022

Category: Forensics

Torrent Analyze (400 points)

SOS, someone is torrenting on our network. One of your colleagues has been using torrent to download some files on the company’s network. Can you identify the file(s) that were downloaded? The file name will be the flag, like picoCTF{filename}.

This challenge was actually very confusing at first, but as stated many times before, the solution to the problem was very simple, it just required alot of research regarding the BitTorrent protocol.

So, firstly, we need to download the packet capture, and open it up in WireShark (obviously). As stated by hint #2, we also need to enable the BitTorrent protocols so we can better understand the data. After we do so, we’ll get something like this:

From here, you might be thinking: “How will we be able to find the filename from this?”. Great question! We can’t.

“What?”

I said we can’t.

Or, well, we can’t find it specifically within the packet capture in plain text. However, there is a way to locate the filename in general, and that’s by utilizing the info_hash. The info_hash is essentially the torrent method of identifying what specific file you need to download. It’s a SHA1 hash of:

  • The length (size) and path with the filename
  • The name of the file
  • Pieces: A collection of SHA1 hashes that all correspond to a portion of the resulting file
  • Pieces length: How many pieces there are
  • Private: If the torrent is private or public

So, using a tool like https://btdig.com to search for a file corresponding to that specific info_hash, we will be able to locate the specific file being downloaded and thus get the flag.

The only thing left is how we actually obtain this info_hash. For that we will need to narrow our search down to only packets using the BT-DHT protocol. The protocol, in laymans terms, is used to efficiently find valid peers that will aid in sending the file to you. More information can be found here regarding it.

If we look at all the packets, eventually we will locate one which contains the info_hash we need in order to search for the file name. Keep in mind that we will find many packets that are transferring files which do not end in .iso (as stated in hint #4), so in order to determine if we actually have the file we need to verify that the extension is correct.

Keep scrolling, aaand….

Go figure. It’s the last packet.

Anyway, the info hash is e2467cbf021192c241367b892230dc1e05c0580e.

Search this through the btdig site I talked about in order to get the actual name being transferred, and we get ubuntu-19.10-desktop-amd64.iso

And there we have it. Successfully getting a filename from a packet capture. Awesome!

Leave a Reply