# Shark of Wire 2

## Description

I lose my network data again... Luckily I always got a [backup pcap file!](https://drive.google.com/open?id=1sX_y8kohgr17fx9c0_lCe3z_7vCdZd6y) Please help me find my "flag" its important!

Note: *There were some stego and crypto elements*

Attachment: `network_data.pcap`

## Solution

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2F4JM031wcCAKl0dDJlgyf%2Fshark-of-wire-2-1.png?alt=media&#x26;token=d85d6cf4-1e4f-42df-ac6f-c901e71adf79" alt=""><figcaption></figcaption></figure>

When looking at the protocol hierarchy, we can see that there is HTTP protocol, and it seems like there are some data and media going through.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FpHiA4naUiInNjUoVWJ7M%2Fshark-of-wire-2-2.png?alt=media&#x26;token=c41cc39d-2a25-4351-b8ad-ce37ac049328" alt=""><figcaption></figcaption></figure>

Let us try to filter the HTTP traffic and see what was happened. We can see that there are some JPG and GIF files in the traffic.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FBQAyGORmCacuz2NvBsVa%2Fshark-of-wire-2-3.png?alt=media&#x26;token=31ba98a0-691c-4268-ba6c-cf7160e130e7" alt=""><figcaption></figcaption></figure>

Export the objects (HTML, JPG, GIF) from the pcap.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FQvz7FhswIFwnw5WLKWAD%2Fshark-of-wire-2-4.png?alt=media&#x26;token=c7a7f0e4-da36-4179-a8fb-3b7c06abacdb" alt=""><figcaption></figcaption></figure>

You can choose one by one and click `Save` to save it, or you can click `Save All` to save everything at once.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FWSXa9ySFwlxkx6MftOsJ%2Fshark-of-wire-2-5.png?alt=media&#x26;token=4d589ae3-2326-454f-9de6-c65f27939c3c" alt=""><figcaption></figcaption></figure>

Analyze the objects and see what is inside. In `flag.html`, there is a username and password, the password is `ilovebinwalk` which kind of giving us a hint where we can use `binwalk` to analyze the JPG and GIF files. `binwalk` is a tool that is very useful to analyze files to check if there is any embedded files inside them. After using `binwalk` for all the files, we can see that `s3cr3t_fl4g.jpg` has a zip file embedded inside, and we can extract it out.

```
binwalk -e s3cr3t_fl4g.jpg
```

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FIUfelhLFeD8lWDQwi4ar%2Fshark-of-wire-2-6.png?alt=media&#x26;token=2d69a1e9-fb69-4d5f-8f93-87595facfc9e" alt=""><figcaption></figcaption></figure>

We can use `file` command to identify the file type, then use `unzip` to unzip the zip file. Note that I used `mv` command to change the file name (so that it looks nicer and more understandable). Once unzip using the password `ilovebinwalk` that can be found in `flag.html`, we will get a JPG image named `mystery_letter.jpg`.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FBwTJIfpOM0vWcKuZC2LC%2Fshark-of-wire-2-7.png?alt=media&#x26;token=79a617b5-e8e9-431b-b5e9-20ab175b6732" alt=""><figcaption></figcaption></figure>

From `mystery_letter.jpg`, we were given hint about `steghide` and there is a note which looks like a cipher in the last line. Since the question mentioned that there is crypto element, we can try to decipher it.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FVbIhKTkAlFmNiCtCe2zu%2Fshark-of-wire-2-8.png?alt=media&#x26;token=8a56cb46-85e0-4a90-a3cc-9206889a098c" alt=""><figcaption></figcaption></figure>

Go to [CyberChef](https://gchq.github.io/CyberChef/) to figure out what is the cipher about and decode it. CyberChef is a tool normally used for cryptographic operations in CTF such as decoding and decrypting. The cipher looks like Caesar Cipher so I chose to use ROT13 brute force. The decoded message is "Password is H4ck3r5t3g", which seems to be the password for `steghide`.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FSuOEVakwvuGJrG3lBd1W%2Fshark-of-wire-2-9.png?alt=media&#x26;token=05d0d4c4-d85a-4fc0-92ee-d9dab1fb0033" alt=""><figcaption></figcaption></figure>

Use the command above for `steghide` to extract the embedded image with the given passphrase `H4ck3r5t3g`.

<figure><img src="https://3139068166-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5otAmBnHXiDB0QXOOAMF%2Fuploads%2FV06C2mmxa2Q5tcjg2OKw%2Fshark-of-wire-2-10.png?alt=media&#x26;token=07cb2a8f-420f-4a87-95c9-82d6f1e60177" alt=""><figcaption></figcaption></figure>

The flag given in `flag.jpg` consists of numbers, and we can put into CyberChef again to identify the cipher and get the output as flag.