Analyzing the pcap we saw something strange in the ICMP packets and after examine the “type” of them we realized there was a GIF header, so we extracted all the ICMP types with “ip.src = 10.136.255.127” and obtained a GIF file with the flag “flag{we_ride_at_midnight}”

Command:
tshark -r data.pcap -Y 'icmp and !(ip.src==10.136.255.127 and ip.src==128.227.236.205) and ip.src==10.136.255.127' -x | grep "0020" | cut -d" " -f5 | sed ':a;N;$!ba;s/\n//g' | xxd -r -p > output.gif

Note: The extraction can also be made with "scapy".

By @fikih888