# Security Footage {% embed url="" %} ## Enumeration ### Packet analysis (wireshark) In the captured packet we can see there’s only 1 IP requesting to another IP back and forth We can see one of them is a web server and another person They first established a tcp 3-way-handshake and the individual ip using http GET method
And in the fairly large packet we can see something inside, we got 3 headers: - - BoundaryString, Content-type and Length * **BoundaryString**: This is a delimiter that separates different parts of the message. The **actual** "BoundaryString" will be a unique string defined earlier in the overall message's Content-Type header. * **Content-type**: image/jpeg: This straight-up tells you the file type. In this case it is a JPEG image. * **Content-Length**: 10427: This tells you that the **raw** JPEG image data itself is **n bytes** long. We’ll need that later. Those are the key info which indicates that it’s the individual ip requesting the images If we going down and select bigger packets we might see the similar results but the whole packet is too large so we can gather the whole requests together And still, we we can also see the Length in the packet, the whole binary might not just in a packet each but scattered so we gotta use follow function ### Follow the Stream Click on one of the packet and right click select the follow and follow stream, or ctrl+alt+shift+T as a shortcut We can change the data format to ASCII to get a better understanding about the requests
### Getting image from hex #### ImHex First we save the file as file.bin Now, we open file.bin in a **Hex Editor** I’m using **ImHex** at this point * In the hex editor: * Search for the sequence of bytes that represents the end of your headers and the **blank line**. This is usually **0D 0A 0D 0A**. * The Content-Length: n line will end with 0D 0A. * Use select function or search function * The byte **immediately after** the second 0D 0A is the **first byte** of your JPEG image data “FF”. The blank line has to be right after the **Length**
Put the cursor on the FIRST byte **FF** of the image data and use select function, specify the Size to the n bytes it tells you
Copy this selected block of n bytes. Create a new file in the hex editor, paste these bytes into it, and save it as image\*\*.jpg/jpeg\*\*. Here you go, the first image of the flag (you gotta do more…) ### Finding patterns and putting together
But the whole hex is too long it will have you save nearly the same tedious images, so I found a detail in the image Noticed the numbers at the very right corner? The 22-11 means that it’s the 11th frame at the 22 second So we know there are frames within a second, our goal is to get different seconds in the footage
I got frames at max for only 14 but not so sure if it only has 15 frames each (found one start from 00)
To speed up the process, we have to use the info we know and try to get the flag in different seconds So in the hex editor we can use the function find/search **String** to find the seconds. However, the second in the hex can be different from those on the image due to the frame problem. It’s also an EXIF data.
here’s what I specify: 31:\[20, 22, 24, 26, 28, 30, 32, 34, 36, 39, 41] I did 2 each and down for like 3 to 5 But 3 works faster After getting all the images assemble the text and the flag is yours --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/security-footage.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.