Tags: steganography forens wireshark steghide 


This forensics challenge provides a pcapng (packet capture) file.

First, I tried strings on the file, and looked for some keywords.
One try was successful:

$ strings sus_agent.pcapng | grep "secret"
Content-Disposition: form-data; name="files[]"; filename="secret.jpg"
GET /image%2Fjpeg/-7187713563020247385/secret.jpg HTTP/1.1

Then, I opened the file in Wireshark, and used this filter:

http contains "secret"

Indeed, I found the desired packet. I followed the http stream, and found this string:

After decoding it from base64 to ascii, I got this:

I assumed that this must be a password for something.

I looked for more interesting data in Wireshark using this filter:


And I found a GET request to a picture named welcome.jpg
I downloaded the file (Change to Raw data, Save as, Delete the Request headers), and tried some basic steganography techniques on it (strings, stegsolve).

Then, I remembered that I got a password before, so I tried to use steghide on the file (welcome.jpg):

steghide extract -sf welcome.jpg

And entered the password that I got before (ihopeyoudidnottriedtobruteforceit).

"foryou" was extracted.
This file contained the flag!

flag: Trollcat{this_challenge_was_easy_right???}