01
May
2012

Plaid CTF 2012 – Torrent

It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?

We’re given a pcap file containing BitTorrent traffic, among which lots of packets containing BitTorrent ‘piece’ data. Let’s use some tshark magic to extract only the relevant data (piece index and data):

tshark -r torrent.pcap -R 'bittorrent.piece.data' -Tfields -e bittorrent.piece.index -e bittorrent.piece.data > pieces

Finally we use a few lines of python to stitch together the pieces

#!/usr/bin/python2
pieces = {}

for line in open('pieces'):
    line = line.strip()

    idx, data = line.split('\t')
    data = data.replace(':','').decode('hex')

    try:
        pieces[idx] += data
    except KeyError:
        pieces[idx] = data

pieces = sorted([(int(p[0], 16), p[1]) for p in pieces.items()])

data = ''.join([p[1] for p in pieces])
open('torrent.out', 'wb').write(data)

The resulting file turns out to be a bzip2-compressed tar archive.


$ tar xf torrent.out
$ cat key.txt
t0renz0_v0n_m4tt3rh0rn

{2 Responses to “Plaid CTF 2012 – Torrent”}

  1. Try changing
    open(‘torrent.out’, ‘w’).write(data)
    to
    open(‘torrent.out’, ‘wb’).write(data)
    if you have issues reconstructing the data.

    http://security.stackexchange.com/questions/35191/reconstructing-bittorrent-data-from-pcap