**Description**

I love trading dinosaurs with my friends! I'm sure nobody can see what we're sending, because otherwise, my dinosaurs might get taken.

**Knowledge required :**

1) Wireshark for analyzing the PCAP
2) Stegseek for finding out the password needed for the hidden file extraction
3) Base64 encoding

**Solution:**

1) Download the PCAP and open it in wireshark
2) As the file is rather small we can easily observe that it is an FTP transfer of an image
3) By following the TCP Stream and Saving the file as raw data we now have the JPG that was transferred
4) Using stegseek with the rockyou password list we can identify the password used for hiding the file and extract it
```
stegseek 2.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "hidden.txt".
[i] Extracting to "2.jpg.out".

```
5) The file contains the base64 encoded flag
```
cat 2.jpg.out
d2N0Znthbl8xbWFnZV9pbl9hX3BlZWNhcF9iNjR9

echo d2N0Znthbl8xbWFnZV9pbl9hX3BlZWNhcF9iNjR9 | base64 -d
wctf{an_1mage_in_a_peecap_b64}
```

**Unsuccessful attempts :**
Since I did not know about *stegseek* at the start of the challenge I used a lot of time to try some other tools like *stegsolve* and *steghide* to analyze the file.But in the process after some research I managed to do it.