TryHackMe Security Footage—Writeup
Hey everyone, welcome back to my writeup! In this one, I’ll be walking you through how I solved the Security Footage challenge from TryHackMe, step-by-step. It was a fun and interesting challenge that involved diving into network traffic and figuring out how to extract and analyze some hidden data. I’ll share the tools and techniques I used along the way. Stick around as we go through it together and piece everything together!
Analyzation
In this challenge, we're given a pcap file. Let’s fire up Wireshark and start analyzing the traffic.
The traffic here looks like a mix of different packets, but the challenge description did mention something about footage from a camera. Given that, it's safe to assume there's likely a video hidden somewhere in all this data. Our task is to sift through it and figure out how to extract it.
Let me ask you something: When you send or upload a video, do you think it's transmitted in its entirety all at once in the traffic?
Most of you would probably think the answer is yes — that when you send or upload a video, it’s transmitted in its entirety all at once, just like you see it in its final form. But that’s not how it works. Instead, when you send or upload a video over a network, whether it's through a streaming platform, an upload to a server, or even via a simple peer-to-peer connection, the video is actually broken down into many smaller pieces called packets.
Think of a packet like a puzzle piece — each packet contains a small chunk of the video’s data, and each packet is labeled with important information like where it belongs in the sequence and where it’s going. These packets are then sent over the network individually. Due to the nature of the internet, these packets might travel through different routes or arrive at slightly different times. This is all part of the process of packet-switched networks.
Once all the packets reach their destination, the system on the receiving end reassembles them into the original video. This process is handled by protocols like TCP/IP for reliability or UDP for faster, but less reliable transmission. The system makes sure that the packets are re-ordered correctly, any lost packets are retransmitted, and everything lines up properly to recreate the original video file or stream.
So, although it seems like the video is being sent in one go, in reality, it's a series of smaller chunks, each making its way across the network to be reassembled later. This method allows videos (and large files in general) to be sent efficiently over a network, without the need to wait for the entire file to be ready to send before transmitting.
This process is part of how the internet can handle large amounts of data and transmit it quickly, whether it’s a video, a webpage, or any kind of media. It also means that if you’re trying to analyze or reconstruct data from network traffic, you’ll need to work with these fragmented pieces of data and figure out how to put them back together.
And that’s exactly what we’re trying to do here — collect all the fragments and piece them back together. However, doing this manually is simply impractical. There are far too many packets to sift through by hand, and the process would be incredibly time-consuming. Instead, we’ll rely on programming to do the heavy lifting for us. By automating the extraction and reconstruction of these fragmented pieces, we can efficiently gather the video data from the network traffic, and ultimately reassemble it into something usable. This is where our coding skills come into play — helping us save time and avoid errors while tackling challenges like this.
import re
import os
import subprocess
# Step 1: Read PCAP binary and extract JPEG frames
with open('security_footage.pcap', 'rb') as f:
data = f.read()
# JPEG SOI (start) = \xff\xd8, EOI (end) = \xff\xd9
matches = re.findall(b'\xff\xd8.*?\xff\xd9', data, re.DOTALL)
# Ensure frame output directory exists
os.makedirs("frames", exist_ok=True)
print(f"[+] Found {len(matches)} JPEG frames.")
# Save each frame
for i, jpeg in enumerate(matches):
with open(f'frames/frame_{i:04d}.jpg', 'wb') as out:
out.write(jpeg)
print("[+] Frames saved to 'frames/' directory.")
# Step 2: Use ffmpeg to combine into a video
subprocess.run([
"ffmpeg",
"-framerate", "10",
"-i", "frames/frame_%04d.jpg",
"-c:v", "libx264",
"-pix_fmt", "yuv420p",
"output_video.mp4"
])
print("[+] Video saved as 'output_video.mp4'")Run and it will collect all the frames and merge them using ffmpeg (ensure that ffmpeg is installed on your system).
As you can see, the video has been saved, and it’s now a compilation of all the frames we’ve gathered.
At this point, we've successfully solved Security Footage!
In this challenge, we explored how to extract hidden video data from a packet capture (pcap) file. By analyzing the network traffic and identifying fragmented video frames, we were able to use programming to automate the extraction and reassembly process. With the help of tools like Wireshark and ffmpeg, we successfully retrieved the video, piecing together all the frames to reveal the hidden footage. This exercise not only sharpened our skills in network traffic analysis but also demonstrated the power of automation in handling large amounts of data. By leveraging programming, we avoided the inefficiencies of manual extraction and made the process much more efficient.
Last updated