[CTF] ImaginaryCTF 2022 - Forensics

Writeup for Forensics Challenges in ImaginaryCTF 2022. I only had time to solve a single challenge. It was pretty fun though. Lets jump into writeup.


The moment I saw the title of challenge, I was pretty sure it’s related to ARP packets. I opened the packet capture file in Wireshark and boom my thought was correct. There is many ARP packets, on a single look it won’t seem suspicious. But the closer we look the more interesting data we can see. The target ip address field in ARP is really weird, it looks like /usr.

As I went down through packets, I saw another interesting piece of data in packet 12443. Its PNG (504e47) header, so that means rest of the packets have image data.

I made a script to extract strings and image from ARP packets.

from scapy.all import *

pkts = rdpcap('tarp.pcapng')

shadow = b''

raw_image = b''

for pkt in pkts[0:12268]:
    if pkt.haslayer(ARP):
        if pkt.psrc == '' and pkt.op == 1:
            shadow += raw(pkt)[38:42]

for pkt in pkts[12442:]:
    if pkt.haslayer(ARP):
        if pkt.psrc == '' and pkt.op == 1:
            raw_image += raw(pkt)[38:42]

flag = open("flag.png", "wb")

print("Extracted Shadow File From ARP :- ")
print("\nFlag image is saved to flag.png file")
print("If it's not opening with normal image viewers, try on webbrowser")

The strings were shadow file but the flag is in png image. For some reason I couldn’t open it with image viewer installed in my system, so I opened it with webbrowser.

Thats it, See yall next time :).