Question:
We have captured a file being transferred over the network, can you take a look and see if you can find anything useful?
https://cgames-files.allyourbases.co/nm01.zip
Hint: External tools like CyberChef can help decode the data.
Download & extract the file. You’ll see named “nm01.pcapng“
Open the pcap file using Wireshark. Usually, I sort frame with large “Length” number and view the content.
On Frame 4 – right click – click “Follow” – click “TCP stream”
hmm.. this “SecurePa55word8!” seems interesting. I tried to submit it as flag, but it says wrong..
So, I viewed another large frame, on Frame 26. I saw there’s string “7z“. I thought, it could be a 7z file. I took the hex number; “37 7a” & search on Google. Based on this site – https://www.filesignatures.net/index.php?page=search&search=377ABCAF271C&mode=SIG, it is confirm that this is indeed a 7z file.
So, on the same frame 26, right click and follow TCP stream. It will show you the stream/content of it. At bottom of the stream, on options “Show and save data as“, change it to “Raw”.
Click “Save as…” and save it as name you like – in this example, I’ll name it as “7out“.
When I open the file, there’s folder named “FLAG” and inside it contain file named “Flag.txt”. It’s password protected when we tried to view it.
So, maybe we can use the string/password that we discover earlier:
It works! The flag is “capturing_clouds_and_keys” .