<h1>Nested</h1>

There are too many bytes to be a simple transfer... can you investigate this?
dump.7z

Hints

1. Take a look at the source format and continue making y**our guess**es
2. gzsteg

Downloading dump.7z archive. It contains only one *.pcap file. Open it in Wireshark.


Nothing special. Let's search other file signatures in dump.pcap.

Opening dump.pcap in BLESS (or other HEX-editor). In this file we have a chance to find 7zip signature.


You should copy bytes from a 7zip signature (37 7a dc ..) to the end of file. And paste them into a new file with 7z-extention. To example d.7z.
Running command:

`7za x d.7z`

Extracting files.


Looking at extracted files: each.jpg and other.zip helps us to suppose that this files are dependent from each other.

After that we are looking for steganography utilities and remmeber task hint (y**our guess**es), so we understand that OutGuess is needed.

OutGuess installing.

Running command:

`outguess -k "other" -r each.jpg hidden.txt`


Password for the other.zip:


Extracting file is a gz-archive.


At this moment you should remember the 2d hint - gzsteg. This is a name of stegapower patch for gzip (v 1.2.4).
Downloading the source code, patching that with gzsteg-patch.

```
patch -c < patch1
patch -c < patch2
patch -c < patch3
```

Patch adds new option to standard gzip: "-s" or "--steg", which provides hiding/revealing of files into archive.

With the next command extracting hidden file:

`gzip -cds hide.txt hide.gz`

There is flag in hide.txt.


Original writeup (https://github.com/yogamaya/VolgaCTF_Quals_2017/blob/master/Nested%20(english)/readme.md).