# Insecure Webcam - HKUST Firebird CTF 2024
###### ~~guide from someone more confused than you~~
> Recently, one of my friends bought a new webcam from TaoBao (ㆀ˘・з・˘)
>
> He said the webcam is safe to use ... but I can capture the packets sent from his webcam ( ºΔº )
>
> Can you prove him wrong by recovering the video? ( •́ὤ•̀)
>
> [capture.pcapng](https://ash-files.firebird.sh/18/capture.pcapng)
>
> Author: a1668k | Tags: Forensics
## Initial thoughts and observations
My task is to recover a video from the given file. From my extensive experience (I did one other CTF), I can tell `.pcapng` is a network capture file from WireShark. So, I go over to the website to download it, _again._
On first opening the file, I see a lot of RTP and TCP and a few RTSP packets only in the beginning. I also see a lot of `[ACK]`s in the info, so I act like I know what is going on and deduce that the camera is probably streaming the video somewhere, and those packets are being acknowledged. High school networking knowledge is coming to use.
I do a quick string search of common keywords, like "flag," "key," "pass," "fire (bird)," but nothing comes up. I right-click on a random packet, then follow. It seems most of the packets are already here, and perhaps the `ACK` packets were left out. The convo seems pretty one-sided; it starts with an initial setup convo, which was short, and then the rest of the 974 bytes sent by the camera for a video, which means I already have everything I need, _so convenient and easy._
## Trauma
About 1-2 hours after searching for tutorials on wireshark video recovery and learning nothing, I had the radical idea of looking at the `follow TCP stream` tab and saw `Server: gortsplib`. Searching for it on Google brings you to the [github repo](https://github.com/bluenviron/gortsplib). I spent another hour trying to understand Go and reversing the decoding function, after which I gave up and went back to searching, now for ways to decode RTSP/RTP streams.
## Solution
I finally came across this [stackoverflow post](https://stackoverflow.com/questions/42564983/how-to-convert-rtpdump-video-file-to-mp4) outlining how to replay a rtpdump file using a program called `rtpplay` from `rtptools` (searched for "rtpplay rtpdump") and `ffmpeg`. Searching for `rtptools` brings a few results, their github page where you have to build the program yourself, and a few ancient websites that either no longer work or have broken download links for Windows binaries. So I open the download websites using the wayback machine and finally get the program.
I also quickly got the RTP dump: `Telephony -> RTP -> Streams -> Select the single visible stream -> Export`
Before I tried it on my file, I tried the example given in the post.
Steps:
1. Download the [`narwhals-audio.rtpdump`](https://github.com/jitsi/jitsi-hammer/raw/master/resources/narwhals-audio.rtpdump) and [`narwhals-video.rtpdump`](https://github.com/jitsi/jitsi-hammer/raw/master/resources/narwhals-video.rtpdump) files from the stackoverflow post (or just click mine, it's whatever).
1. Create a `narwhals.sdp` file and save the following
```
v=0
c=IN IP4 127.0.0.1
m=video 4646 RTP/AVP 96
a=rtpmap:96 VP8/90000
m=audio 4848 RTP/AVP 97
a=rtpmap:97 opus/48000
```
1. Copy paste the commands in separate cmd prompts, do not run yet,
```
ffmpeg -v warning -protocol_whitelist file,udp,rtp -f sdp -i narwhals.sdp -copyts -c copy -y narwhals.mkv
```
and
```
rtpplay -T -f narwhals-video.rtpdump 127.0.0.1/4646 & rtpplay -T -f narwhals-audio.rtpdump 127.0.0.1/4848
```
1. Quickly execute `ffmpeg` and then the `rtpplay` commands.
1. After a bit, you get a documentary on narwhals.
Now that I knew it worked, it was only a matter of replacing the above steps with the appropriate data.
For the first part, we need to retrieve SDP information about the file. Looking back into the `Follow TCP Stream` tab, we see something familiar in one of the packets,
```
RTSP/1.0 200 OK
CSeq: 3
Content-Base: rtsp://10.211.55.6:8554/firebird_secure/
Content-Length: 172
Content-Type: application/sdp
Server: gortsplib
v=0
o=- 0 0 IN IP4 127.0.0.1
s=Stream
c=IN IP4 0.0.0.0
t=0 0
m=video 0 RTP/AVP 96
a=control:rtsp://10.211.55.6:8554/firebird_secure/trackID=0
a=rtpmap:96 VP8/90000
```
The content type is SDP, so this is exactly what we needed. Funnily enough, we do not need to change the `narwhals.sdp`; all the important data are the same, namely `a=rtpmap:96 VP8/90000` which says the file is using the `VP8` codec. IDK what 96 means. Here is a [website](https://webrtchacks.com/wp-content/themes/parament/custom-pages/sdp/65.html) explaining it.
> a=rtpmap:100 VP8/90000
This lines says is that VP8 is asigned to payload type 100. It will mean that the value of the Payload Type field of the RTP packets containing VP8 video frames within this session will be 100.
The second part is easy; just rename my dump file to `narwhals-video.rtpdump`.
Repeat the last two steps again, and we will have a video of the two parts of the flag spinning and swimming(?) and bubbles floating(?). ~~It's almost as if the author knew I'd be too lazy to change the commands.~~
Sign in with Wallet
Connect another wallet