[ASIS CTF] Sky Blue Writeup


Why is the sky blue?


We are given a PCAP file containing some Bluetooth traffic. The flag has probably been transmitted between the devices. Let’s see what files has been sent.

[Megabeets]$: binwalk -e blue.pcap

40535         0x9E57          PNG image, 1400 x 74, 8-bit colormap, non-interlaced

Binwalk found a PNG image but couldn’t export it. I opened Wireshark and searched for the string “PNG” in the packet bytes. I found the 7 packets containing the PNG and exported their packet bytes (i.e Only the DATA, without the header bytes of each packet: 02 0C 20 FC 03 F8 03 47 00 63 EF E6 07). I then concatenated the output files using HxD,


and deleted the extra data preceding the PNG file header.


We now have the PNG file which is the flag:



7 thoughts on “[ASIS CTF] Sky Blue Writeup

  1. dakine

    no matter what I did my PNG was always corrupted and I was not able to open it 🙁
    I did exact steps as in your wtire-up but I still get the same negative results 🙁

    • Megabeets

      Did you delete the extra bytes in the beginning? If so, try open the file with MSPaint or view the thumbnail in explorer, it should work.
      You can also upload the file and send me a link so I can look at it.
      ~ Itay

  2. dakine

    I did deleted the the beginning bytes. Did you deleted the last line of each data file containing:
    “0400 0e .”
    this is the my hex extract from pcap: http://pastebin.com/GJHd4M5u
    I use xxd -r -p to convert to binary (it should be the same as HxD for win)

    the png that I get is all messed up (but it opens in windows, not linux) not too sure how to send png file to you

  3. bih

    What is the program you use to concatenated file? I found 7 packets but I cant concatenate it (try to use hjsplit). I’m just a newbie

    • Megabeets

      Hi, as said in the post I used HxD, it’s my preferred Hex editor and it has concatenate feature.
      In the menu click on Extras > File tools > Concatenate

      Look at the comments above, and be sure to fully understand what in the packet is the headers and what is the image.
      Feel free to ask any question you have.

      And by the way, ASIS CTF was about a month ago, how did you got to this just now?

      • bih

        Thank you for your help. As i said i’m just a newbie so i’m finding the old forensic exams to understand and know what need to do in the next ctf event.

Leave a Reply

Your email address will not be published. Required fields are marked *