Tags: forensics
Rating:
**Задание**
Find the transferred file
[challenge.pcapng](https://s3.amazonaws.com/hackim18/misc/pcap/challenge.pcapng)
-----
**Solution**
Let's open `challenge.pcapng` with Wireshark. Obvious, eh? ;)
First we'll do checkStatistics -> Protocol Hierarchy
Ok, we see some HTTP conversations. We can download all the transfered files
This two: `follem.JPG` & `metloof.JPG` seem to be interesting enough
Interesting enough to see the insides with `stegdetect`. `metloof.JPG` have something archived
Lets get the file with `binwalk`
And inside the archive we've found `e2fc7ad1c912c04b0247cb9a710e82cd.txt` with contents `Flag isn't here!`
Ok. Wrong call. Other files that were transfered via HTTP had nothing interesting.
Let's see other conversations in `challenge.pcapng`
Nothin unusual in DNS & NTP, but ICMP looks odd
We can use `tshark` to dump the icmp conversations in a binary format
`tshark -Y "(data.len==2 ) && (icmp.type == 8)" -T fields -r challenge.pcapng -e data | xxd -r -p |xxd -r -p > bin.dat`
The resulting `bin.dat` seems to be an archive, and the file `flag.txt` is inside!
Flag: `hackim18{'51mpL3st_Ch4ll3ng3_s0lv3d'}`
-----
Also you can use [CyberChef](https://gchq.github.io/CyberChef/) to check the binary file
Just put the dumped with `tshark` file and cook it with the right 'recipe'
