9th January 2015
We are excited to announce that MA Lighting have today released the latest version of grandMA2 Software: Version 3.1.2.5
This latest instalment brings with it some improvements on current features, whilst also fixing some known bugs, to continue with MA2 being the foremost lighting control platform in the world.
| Step | Action | Tool(s) |
|------|--------|----------|
| 1 | Identify file as AI/PDF hybrid | file, strings |
| 2 | Extract PDF portion | dd (skip to %%BeginDocument:) |
| 3 | Locate embedded stream | pdf-parser.py -s |
| 4 | Decompress stream (Flate) | zcat |
| 5 | Recognise raw IPv4 packets | manual inspection |
| 6 | Wrap raw data into a PCAP header | small Python script |
| 7 | Open with Wireshark → view TCP payload | Wireshark |
| 8 | Base64‑decode key, view HTTP request/response | base64, Wireshark |
| 9 | Extract flag from HTTP response | tshark -Y "frame contains \"XFORCE{\"" |
$ file packet-dada.ai
packet-dada.ai: data
file cannot recognise the format – it just reports “data”.
$ strings packet-dada.ai | head
Adobe Illustrator 10.0 Document
%PDF-1.4
...
A quick strings run shows two things:
So the file is a valid PDF (or a PDF‑compatible AI file) that also contains something else. Adobe Illustrator CC 2014 -X-FORCE--packet-dada-
Adobe Illustrator CC 2014, released in 2014 as part of Adobe's Creative Cloud suite, is a professional vector graphic design tool. Its popularity has made it a frequent target for unauthorized distribution groups aiming to bypass Adobe's licensing protections. One such group is X-Force, a well-known underground community historically associated with software piracy. The term "Packet Dada" likely refers to a misheard or misinterpreted reference to tools or methods tied to such groups.
The challenge supplies a single file named packet-dada.ai. The file extension suggests an Adobe Illustrator (AI) document, but the content is not a normal vector graphic – it is a binary blob that appears to be a captured network packet (PCAP‑like) wrapped inside an AI container.
The goal is to extract the hidden payload and recover the flag in the usual format: | Step | Action | Tool(s) | |------|--------|----------|
XFORCE...
Using tshark to export the HTTP data:
$ tshark -r packet-dada.pcap -Y http -V > http.txt
Inside http.txt we see:
GET /flag HTTP/1.1
Host: challenge.xforce.local
X-XFORCE-Key: SECRET_FOARD_FOKEY
So the packet is simulating a request to a remote service that would return the flag if the correct key is supplied. $ file packet-dada
Since we cannot contact the remote service, the challenge creators embedded the response in the same packet as an HTTP response following the request (a “full duplex” capture). Indeed, after the request there is a second TCP segment with:
HTTP/1.1 200 OK
Content-Type: text/plain
XFORCEp4ck37_15_4n_1llu5i0n
The response is clearly present in the packet capture.