This forensics challenge provides a pcapng (packet capture) file.

First, I tried strings on the file, and looked for some keywords.
One try was successful:

```
$ strings sus_agent.pcapng | grep "secret"
Content-Disposition: form-data; name="files[]"; filename="secret.jpg"
GET /image%2Fjpeg/-7187713563020247385/secret.jpg HTTP/1.1
```

Then, I opened the file in Wireshark, and used this filter:

```
http contains "secret"
```

Indeed, I found the desired packet. I followed the http stream, and found this string:
aWhvcGV5b3VkaWRub3R0cmllZHRvYnJ1dGVmb3JjZWl0

After decoding it from base64 to ascii, I got this:
ihopeyoudidnottriedtobruteforceit

I assumed that this must be a password for something.

I looked for more interesting data in Wireshark using this filter:

```
http.request
```

And I found a GET request to a picture named welcome.jpg
I downloaded the file (Change to Raw data, Save as, Delete the Request headers), and tried some basic steganography techniques on it (strings, stegsolve).

Then, I remembered that I got a password before, so I tried to use steghide on the file (welcome.jpg):

```
steghide extract -sf welcome.jpg
```

And entered the password that I got before (ihopeyoudidnottriedtobruteforceit).

"foryou" was extracted.
This file contained the flag!

flag: Trollcat{this_challenge_was_easy_right???}