Tags: pcap stego 

Rating: 2.3

On the downloaded image, run `stegseek --seed` to verify if there is steghide data embedded within the image. Eventually, this will give us confirmation that there *is* data inside. Running `stegseek --crack` on the image (using rockyou, although I used the [weakpass_3](https://weakpass.com/) wordlist) will eventually stumble upon an embedded zip file.

The zip file's magic bytes are set to an ELF, which is obviously incorrect. Fix the header bytes to that of a standard ZIP file, and then unzip it. If done correctly, it *should* grant us two files: a PCAP file and a "flag.jpg" file.

Running `stegseek --seed` again shows us that the flag.jpg file also has embeded data, but this time it will not make itself visible with the wordlist. This tells us that we are going to have to find the correct password to it somewhere else. Which is where the extracted PCAP file comes into play.

Opening the PCAP file will, on surface level, present us with seemingly innocuous data. However, if we take a closer look at the title (I C More Packets), it gives us a hint. The abbreviation of this is **ICMP**, which is an abbreviation for a specific type of protocol, mainly the **Internet Control Message Protocol**. If we search the PCAP data and filter it for packets *only* using ICMP, and take a closer look at the provided packets, the data sent between them (when chained up together) spells out a "flag". This "flag" can then be used on our flag.jpg file (using steghide) to extract the *actual* flag.