Tags: steganography forens wireshark steghide
Rating:
This forensics challenge provides a pcapng (packet capture) file.
First, I tried strings on the file, and looked for some keywords.
One try was successful:
```
$ strings sus_agent.pcapng | grep "secret"
Content-Disposition: form-data; name="files[]"; filename="secret.jpg"
GET /image%2Fjpeg/-7187713563020247385/secret.jpg HTTP/1.1
```
Then, I opened the file in Wireshark, and used this filter:
```
http contains "secret"
```
Indeed, I found the desired packet. I followed the http stream, and found this string:
aWhvcGV5b3VkaWRub3R0cmllZHRvYnJ1dGVmb3JjZWl0
After decoding it from base64 to ascii, I got this:
ihopeyoudidnottriedtobruteforceit
I assumed that this must be a password for something.
I looked for more interesting data in Wireshark using this filter:
```
http.request
```
And I found a GET request to a picture named welcome.jpg
I downloaded the file (Change to Raw data, Save as, Delete the Request headers), and tried some basic steganography techniques on it (strings, stegsolve).
Then, I remembered that I got a password before, so I tried to use steghide on the file (welcome.jpg):
```
steghide extract -sf welcome.jpg
```
And entered the password that I got before (ihopeyoudidnottriedtobruteforceit).
"foryou" was extracted.
This file contained the flag!
flag: Trollcat{this_challenge_was_easy_right???}