Download the file and find a way to get the flag.
udp.stream == 2
. I tried extracting these files by saving what 192.168.47.129
sends in udp.stream == 2
as raw bytes and then using binwalk
, but binwalk
only extracted corrupted versions of the files. I tried uses a hex editor to manually save the files from the raw bytes, but this failed for the same reason: some files are "corrupted" because they are missing bytes or have extra bytes.192.168.47.129
sends data to 192.168.47.128
in 626 byte chunks. However, this data is not pure data, which causes the aforementioned problems.192.168.47.128
: Requests the file get <filename>
192.168.47.129
: Sends the file in segments <segment id (8 bytes)> <op code (8 bytes)> <data>
192.168.47.128
: Acknowledges that segment has been received by sending the segment id back <segment id (8 bytes)>
tshark
: tshark -r fh01.pcapng -T fields -e data --disable-protocol sigcomp --disable-protocol wg --disable-protocol pathport --disable-protocol dcerpc -Y '(ip.src == 192.168.47.129 && frame.len == 626) || (ip.src == 192.168.47.128 && udp)' > udp_stream_2.dmp
udp_stream_2.dmp
. If the line starts with the word get
then a new file is being transferred and the program starts storing each segment with length 4129, which is the hexadecimal equivalent of the 626 byte chunks from wireshark.5.zip
. Extract 5.zip
and open 5.jpg
to get the flag.C4tch1ng_H0n3y_p0Ts_w1TH_a_Sh4rk!