Tags: pcap forensics stego 


# Dino Trading - Forensics (100 pts)

## Description
> I love trading dinosaurs with my friends! I'm sure nobody can see what we're sending, because otherwise, my dinosaurs might get taken.

### Provided files
download.pcap - a packet capture file \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=wfllUG6RztzKhyy)\]

## Ideas and observations
1. the capture is fairly short and only seems to contain 3 streams:
1. an FTP session
2. a reverse FTP data connection
3. the actual FTP data transfer
2. the FTP session seems normal, as does the file transfer procedure

## Notes
1. the transferred file `epicfight.jpg` can be exported from Wireshark with `File -> Export Objects -> FTP-DATA`
2. `exiftool` doesn't immediately return anything usefull, so we'll just toss the file at [stegoveritas](https://github.com/bannsec/stegoVeritas)
- there's a steghide payload in the results `d2N0Znthbl8xbWFnZV9pbl9hX3BlZWNhcF9iNjR9`
3. I was REALLY tired at this point and legit didn't recognise it sa base64 ? Luckily there are good tools out there, we toss the string at [ares](https://github.com/bee-san/Ares) along with the flag format `ares -t 'd2N0Znthbl8xbWFnZV9pbl9hX3BlZWNhcF9iNjR9' -r "^wctf\{.*\}"`:


Original writeup (https://gist.github.com/shinmai/5720d1f0a214d0878cfb530eb975c469#dino-trading---forensics-100-pts).