E-CTF-2025 - Forensic
Challenge Description Link to heading
We are provided with a .zip file containing a .pcap file. The instructions indicate an image has been stolen, and we must recover it from the PCAP file.
Step 1: PCAP File Analysis Link to heading
I opened the .pcap file with Wireshark to inspect the network traffic.
Observations:
- I noticed suspicious DNS requests sent to
data.exfil.attacker.com. - This suggests data exfiltration via DNS by encoding the image within domain names.
Step 2: Extracting Exfiltrated Data Link to heading
To extract all DNS queries from the PCAP, I used Tshark:
tshark -r justapcap.pcap -Y "dns" -T fields -e dns.qry.name > dns_exfil_data.txt
Explanation:
-r justapcap.pcap→ Analyzes the justapcap.pcap file.-Y "dns"→ Filters only DNS requests.-T fields -e dns.qry.name→ Extracts only domain names from DNS queries.> dns_exfil_data.txt→ Saves the output into a text file.
Result:
Step 3: Cleaning and Reconstructing Data Link to heading
The data sent via DNS appeared to be hexadecimal-encoded.
I used cut and xxd to reconstruct the stolen file:
cat dns_exfil_data.txt | cut -d'.' -f1 | xxd -r -p > extracted_file
Explanation:
cut -d'.' -f1→ Removes the indices and the.exfil.attacker.comdomain, leaving only the hexadecimal.xxd -r -p→ Converts hexadecimal to binary.> extracted_file→ Stores the reconstructed file asextracted_file.
Step 4: Checking and Opening the Image Link to heading
I verified the extracted file type using the file command and opened the image:
file extracted_file
Result: The recovered image was indeed a PNG file!
Retrieved Flag:
