> For the complete documentation index, see [llms.txt](https://encient.gitbook.io/ctf-writeups-and-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://encient.gitbook.io/ctf-writeups-and-notes/ctf-platform/skr-ctf/forensics/shark-of-wire-2.md).

# Shark of Wire 2

## Description

I lose my network data again... Luckily I always got a [backup pcap file!](https://drive.google.com/open?id=1sX_y8kohgr17fx9c0_lCe3z_7vCdZd6y) Please help me find my "flag" its important!

Note: *There were some stego and crypto elements*

Attachment: `network_data.pcap`

## Solution

<figure><img src="/files/lWutzdKAjPrFKOUamwbH" alt=""><figcaption></figcaption></figure>

When looking at the protocol hierarchy, we can see that there is HTTP protocol, and it seems like there are some data and media going through.

<figure><img src="/files/5uRmZ27bmd3hl2j9TU3y" alt=""><figcaption></figcaption></figure>

Let us try to filter the HTTP traffic and see what was happened. We can see that there are some JPG and GIF files in the traffic.

<figure><img src="/files/mhLqg4zDWX7EssjFZ5Sr" alt=""><figcaption></figcaption></figure>

Export the objects (HTML, JPG, GIF) from the pcap.

<figure><img src="/files/c6Ad0DMmTAxH3JP61TF2" alt=""><figcaption></figcaption></figure>

You can choose one by one and click `Save` to save it, or you can click `Save All` to save everything at once.

<figure><img src="/files/c5C5GRLwx4iXqJmqzMFj" alt=""><figcaption></figcaption></figure>

Analyze the objects and see what is inside. In `flag.html`, there is a username and password, the password is `ilovebinwalk` which kind of giving us a hint where we can use `binwalk` to analyze the JPG and GIF files. `binwalk` is a tool that is very useful to analyze files to check if there is any embedded files inside them. After using `binwalk` for all the files, we can see that `s3cr3t_fl4g.jpg` has a zip file embedded inside, and we can extract it out.

```
binwalk -e s3cr3t_fl4g.jpg
```

<figure><img src="/files/quqaZV4LNdMVCFTqKbCk" alt=""><figcaption></figcaption></figure>

We can use `file` command to identify the file type, then use `unzip` to unzip the zip file. Note that I used `mv` command to change the file name (so that it looks nicer and more understandable). Once unzip using the password `ilovebinwalk` that can be found in `flag.html`, we will get a JPG image named `mystery_letter.jpg`.

<figure><img src="/files/t1ga3Zk7SNUDFpFysCWA" alt=""><figcaption></figcaption></figure>

From `mystery_letter.jpg`, we were given hint about `steghide` and there is a note which looks like a cipher in the last line. Since the question mentioned that there is crypto element, we can try to decipher it.

<figure><img src="/files/sCG1mmuAueohsN8M30VP" alt=""><figcaption></figcaption></figure>

Go to [CyberChef](https://gchq.github.io/CyberChef/) to figure out what is the cipher about and decode it. CyberChef is a tool normally used for cryptographic operations in CTF such as decoding and decrypting. The cipher looks like Caesar Cipher so I chose to use ROT13 brute force. The decoded message is "Password is H4ck3r5t3g", which seems to be the password for `steghide`.

<figure><img src="/files/5PwmtYX7giCEOi6KHaNO" alt=""><figcaption></figcaption></figure>

Use the command above for `steghide` to extract the embedded image with the given passphrase `H4ck3r5t3g`.

<figure><img src="/files/ILdTM9ItDE7o3GvxPt0s" alt=""><figcaption></figcaption></figure>

The flag given in `flag.jpg` consists of numbers, and we can put into CyberChef again to identify the cipher and get the output as flag.
