Question:
We have captured a file being transferred over the network, can you take a look and see if you can find anything useful? https://cgames-files.allyourbases.co/nm01.zip Hint: External tools like CyberChef can help decode the data.
Download & extract the file. You’ll see named “nm01.pcapng“
Open the pcap file using Wireshark. Usually, I sort frame with large “Length” number and view the content.
On Frame 4 – right click – click “Follow” – click “TCP stream”
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2021/02/nm01_1.png?resize=640%2C91&ssl=1)
hmm.. this “SecurePa55word8!” seems interesting. I tried to submit it as flag, but it says wrong..
So, I viewed another large frame, on Frame 26. I saw there’s string “7z“. I thought, it could be a 7z file. I took the hex number; “37 7a” & search on Google. Based on this site – https://www.filesignatures.net/index.php?page=search&search=377ABCAF271C&mode=SIG, it is confirm that this is indeed a 7z file.
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2021/02/nm01_2.png?resize=640%2C292&ssl=1)
So, on the same frame 26, right click and follow TCP stream. It will show you the stream/content of it. At bottom of the stream, on options “Show and save data as“, change it to “Raw”.
Click “Save as…” and save it as name you like – in this example, I’ll name it as “7out“.
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2021/02/nm01_3.png?resize=640%2C166&ssl=1)
When I open the file, there’s folder named “FLAG” and inside it contain file named “Flag.txt”. It’s password protected when we tried to view it.
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2021/02/nm01_4.png?resize=602%2C360&ssl=1)
So, maybe we can use the string/password that we discover earlier:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2021/02/nm01_5.png?resize=567%2C76&ssl=1)
It works! The flag is “capturing_clouds_and_keys” .