Tags: forensics
Rating:
### challenge description : Someone accessed the server and stole the flag. Use the network packet capture to find it.
### challenge hint : Look for unusual ports.
### challenge file : stolen_data.pcap
step by step writeup :
1- looking to the ports i discover that there are destination port number : 4444
2- use filter (tcp.port eq 4444)
3- right click > follow > tcp stream
4- find packet with pdf file
5- change data from ascii to raw > save file as filename.pdf
6- open pdf file to find the flag
# flag :jctf{0v3r_7h3_w1r3}