Spy Cam

Challenge:

Oh no! I found some spyware on my laptop. Can you find out what the attacker saw?

Solution:

I opened the provided packet capture in Wireshark and observed a single HTTP session from 127.0.0.1:60542 -> 127.0.0.1:8081. The HTTP session was initiated with a GET request to "/" and the service responded with a high number of pushes (PHS/PUSH TCP flag) containing JPEG files.

I wrote a simple Zeek script to extract the JPEGs from the pcap and name them by network session timestamps.

event file_sniff(f: fa_file, meta: fa_metadata)
	{
	if ( ! meta?$mime_type ) return;
	local fname = fmt("%s-%s.%s", f$source, strftime("%s", network_time()), "jpg");
	Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
	}

Running zeek -Cr capture.pcap spy_cam.zeek extracted thirty JPEGs from the packet capture. After manually reviewing a handful of the extracted JPEGs it appeared the images were a stream from a camera that was capturing a scrolling digital sign displaying the flag.

Instead of manually reviewing each image I used ffmpeg to create a movie from all the extracted JPEGs.

$ ffmpeg -framerate 5 -pattern_type glob -i 'HTTP-*.jpg' -c:v libx264 -profile:v high -crf 20 -pix_fmt yuv420p output.mp4

The compiled movie provided the flag.