Tags: pcap forensics icmp 

Rating: 4.0

# Incredibly_Covert_Malware_Procedures

This challenge was a nice one, we were given a pcap file(incident.pcap) with the following description and we are asked to find the flag.

![DESC](https://i.ibb.co/YZctsPL/icmp0.png)

The pcap had some dns packet and alot of icmp ones, with this remark and from the title of the challenge we can guess that the challenge is about sending files using icmp protocol wich is one of the techniques malwares use to exfiltrate data since alot of firewalls permit ICMP traffic.

To find the exfiltrated data, we need to apply some filters to only leave us with icmp request packets. After that we exported the file(exported.pcap).

![filters](https://i.ibb.co/LPBPFWg/icmp-wireshark.png)

After investigating the packets for some time we noticed that the file had a PNG signature. So now, we just need to figure out the offset of data we are interested in, wich can be noticed by checking the ICMP data.
I used tshark and python for this:
```sh
$ tshark -r incident.pcap -T fields -e data > data.txt
```

```python
with open('data.txt') as d:
for _ in d:
print (_[16:48])
```
And with this output, we can get ou image using xxd:
```sh
cat final_data.txt | xxd -r -p > icmp_flag.png
```
![flag](https://i.ibb.co/Fmpx4zZ/icmp-flag.png)

Original writeup (https://github.com/5h3r10ck/CTF_Writeups/tree/master/H%40ctivitycon_writeups/Incredibly_Covert_Malware_Procedures).