Viewing the Protocol statistics in Wireshark, we see that the majority of the PCAP is FTP traffic. Applying the filter `ftp || ftp-data` allows us to view only the FTP traffic. Scrolling through we see multiple files being moved, and one of them is called `butter.jpg` (packets 313 and 314). If we right click on one of these `STOR` requests, then click `Follow -> TCP Stream` we can see the file contents. Change `Show data as` to `Raw`, then save the image with `Save as...`. The flag is in the image.

## Flag
**flag{u_p4ss_butt3r}**

Original writeup (https://malcrypt.gitlab.io/blog/ctfs/2021/tenable/forensics/hacker_exposed/#challenge-1-25).