PicoCTF 2022 — Forensics: Torrent Analyze
Apr 29, 2022
Reading the link provided we can see tha the info_hash
value in the bt-dht
packets is going to be unique per torrent.
From that information you can pull each of these fields with tshark and output as json
tshark -r torrent.pcap -Y 'bt-dht.bencoded.string=="info_hash"' -Tjson -e 'bt-dht.bencoded.string' > output.json
We can then use some bash tools to clean up the output
cat output.json \
| jq '.[] | ._source.layers' \
| grep info_hash -A1 \
| awk '{print $1}' \
| sort \
| uniq \
| sed -E 's/"?(.{40})"?,?/\1/g' \
| grep -E '.{40}' \
| tr '\n' ' ')"
Following this we can manually search each hash in google to find reference to hash e2467cbf021192c241367b892230dc1e05c0580e
on linuxtracker.org.
Note: the solve.py
script in this folder can automate the discovery.
picoCTF{ubuntu-19.10-desktop-amd64.iso}