Tags: pcap forensics stego
Rating:
# Dino Trading - Forensics (100 pts)
## Description
> I love trading dinosaurs with my friends! I'm sure nobody can see what we're sending, because otherwise, my dinosaurs might get taken.
### Provided files
download.pcap - a packet capture file \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=wfllUG6RztzKhyy)\]
## Ideas and observations
1. the capture is fairly short and only seems to contain 3 streams:
1. an FTP session
2. a reverse FTP data connection
3. the actual FTP data transfer
2. the FTP session seems normal, as does the file transfer procedure
## Notes
1. the transferred file `epicfight.jpg` can be exported from Wireshark with `File -> Export Objects -> FTP-DATA`
2. `exiftool` doesn't immediately return anything usefull, so we'll just toss the file at [stegoveritas](https://github.com/bannsec/stegoVeritas)
- there's a steghide payload in the results `d2N0Znthbl8xbWFnZV9pbl9hX3BlZWNhcF9iNjR9`
3. I was REALLY tired at this point and legit didn't recognise it sa base64 ? Luckily there are good tools out there, we toss the string at [ares](https://github.com/bee-san/Ares) along with the flag format `ares -t 'd2N0Znthbl8xbWFnZV9pbl9hX3BlZWNhcF9iNjR9' -r "^wctf\{.*\}"`:
`wctf{an_1mage_in_a_peecap_b64}`
