Use grep on the extracted strings: strings capture.pcap | grep -i "flag" . Common "Gotchas" in this Challenge
: Search for the string "Festerowy" in the packet bytes ( Ctrl+F in Wireshark, set to "String" and "Packet bytes"). Data Extraction
: Often, these challenges hide data in common protocols or use a specific "strange" protocol that stands out. Filtering for Interest FullCapture for Festerowy.rar
: The flag might be split across multiple packets. Use "Follow TCP Stream" to see the full conversation.
: Look for traffic on ports like 1337 or 4444 which often indicate a reverse shell. Use grep on the extracted strings: strings capture
: Data might be Base64 encoded or Hex encoded within the packets.
If the traffic is encrypted (HTTPS) and a key log file ( SSLKEYLOGFILE ) is provided in the RAR, load it into Wireshark ( Edit -> Preferences -> Protocols -> TLS ) to decrypt the traffic. Flags usually follow a format like CTF... or FLAG... . Filtering for Interest : The flag might be
: Check for DNS Tunneling. If you see many long, encoded subdomains (e.g., ://example.com ), data is being exfiltrated through DNS queries. ICMP : Check for data appended to ping packets. Identifying "Festerowy"