Global Community CTF: Mini Bootup by SANS – NM01


We have captured a file being transferred over the network, can you take a look and see if you can find anything useful?

Hint: External tools like CyberChef can help decode the data.

Download & extract the file. You’ll see named “nm01.pcapng

Open the pcap file using Wireshark. Usually, I sort frame with large “Length” number and view the content.

On Frame 4 – right click – click “Follow” – click “TCP stream”

Todays file password is: SecurePa55word8!

hmm.. this “SecurePa55word8!” seems interesting. I tried to submit it as flag, but it says wrong..

So, I viewed another large frame, on Frame 26. I saw there’s string “7z“. I thought, it could be a 7z file. I took the hex number; “37 7a” & search on Google. Based on this site –, it is confirm that this is indeed a 7z file.

notice the range that I highlighted.

So, on the same frame 26, right click and follow TCP stream. It will show you the stream/content of it. At bottom of the stream, on options “Show and save data as“, change it to “Raw”.

Click “Save as…” and save it as name you like – in this example, I’ll name it as “7out“.

When I open the file, there’s folder named “FLAG” and inside it contain file named “Flag.txt”. It’s password protected when we tried to view it.

got password?

So, maybe we can use the string/password that we discover earlier:

It works! The flag is “capturing_clouds_and_keys” .

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.