Plaid CTF 2012 – Torrent

It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?

We’re given a pcap file containing BitTorrent traffic, among which lots of packets containing BitTorrent ‘piece’ data. Let’s use some tshark magic to extract only the relevant data (piece index and data):

tshark -r torrent.pcap -R 'bittorrent.piece.data' -Tfields -e bittorrent.piece.index -e bittorrent.piece.data > pieces

Finally we use a few lines of python to stitch together the pieces

pieces = {}

for line in open('pieces'):
    line = line.strip()

    idx, data = line.split('\t')
    data = data.replace(':','').decode('hex')

        pieces[idx] += data
    except KeyError:
        pieces[idx] = data

pieces = sorted([(int(p[0], 16), p[1]) for p in pieces.items()])

data = ''.join([p[1] for p in pieces])
open('torrent.out', 'wb').write(data)

The resulting file turns out to be a bzip2-compressed tar archive.

$ tar xf torrent.out
$ cat key.txt

{2 Responses to “Plaid CTF 2012 – Torrent”}

  1. Try changing
    open(‘torrent.out’, ‘w’).write(data)
    open(‘torrent.out’, ‘wb’).write(data)
    if you have issues reconstructing the data.