Nittaku 3 Star Premium [Network]

Nittaku 3 Star Premium

I found some weird data while monitoring my network, but I didn't catch it all. See if you can make sense of it.


Inpsecting the pcap, we see some Base64 traffic in ping replies. If we extract this we get a crippled gz file:

$ tshark -r utctf2020_nittaku.pcap \
    -Y 'icmp.type == 0' \
    -T fields -e data |
    tr -d '\n' | \
    xxd -r -p | \
    tr -d '\n' | \
    base64 -d > file.gz

$ file file.gz
file.gz: gzip compressed data, was "flag.png"

$ gunzip file.gz
gunzip: file.gz: unexpected end of file
gunzip: file.gz: uncompress failed

It looks like this file is not complete, it was possible to extract a criplled PNG file:



We can create ICMP packets ourselves, and download the flag file in chunks. The following Python script creates & sends ICMP packets, it also increases the sequence number each iteration (chunk specifier).

First start a packet dump: sudo tcpdump -n icmp -w foo.pcap

Run script as root:

import socket
import struct
from time import sleep

for i in range(1, 32):
    p = bytes.fromhex("0800e4c71337") + \
         struct.pack(">H", i) + \

    s = socket.socket(socket.AF_INET, socket.SOCK_RAW,

    s.sendto(p, ('', 1))
    data = s.recvfrom(1000000)

We can then extract data from foo.pcap:

tshark -r foo.pcap \
    -Y 'icmp.type == 0' \
    -T fields -e data | \
    tr -d '\n' | \
    xxd -r -p | \
    tr -d '\n' | \
    base64 -d > file.gz

zcat file.gz > flag.png