# The SUM of All FEARS
 

## Details

>After hacking a victim's computer, Luciafer downloaded several files, including two binaries with identical names, but with the extensions .exe and .bin (a Windows binary and a Linux binary, respectively).
>
>What are the MD5 hashes of the two tool programs? Submit both hashes as the flag, separated by a |: flag{ExeMD5|BinMD5}
>
>Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.
---

This time we filter the packet capture by `ftp-data`


Scrolling through the packets we can see;


First we select one of the packets relating top the file `lytton-crypt.exe` and `Follow TCP Stream`;


Then we change the data to be in `RAW` format


And click the `Save as...` button saving the file as `lytton-crypt.exe`

We then repeat the process for the `lytton-crypt.bin` file.

Select one of the packets relating top the file `lytton-crypt.bin` and `Follow TCP Stream`;

Then we change the data to be in `RAW` format

And click the `Save as...` button saving the file as `lytton-crypt.bin`

Now we have both files exported, we can run;

```
❯ md5sum lytton-crypt.*
8a84e7153aa083b66cd89c652bef27da lytton-crypt.bin
9cb9b11484369b95ce35904c691a5b28 lytton-crypt.exe
```

## flag{9cb9b11484369b95ce35904c691a5b28|8a84e7153aa083b66cd89c652bef27da}

Original writeup (https://github.com/CTSecUK/DEADFACE_CTF_2021/blob/main/Write-ups/Traffic%20Analysis/The%20SUM%20of%20All%20FEARS%20(50%20Points).md).