CSAW CTF Quals 2014 - why not sftp? (200pts) writeup

The challenge description was: well seriously, why not?

Let's download the pcap file and analyze the traffic to find out where is our flag in Wireshark. I usually start by looking at the conversations and try to find something odd or interesting:

CSAW CTF Quals 2014 - why not sftp? (200pts) writeup - 01

In the TCP conversations tab, we can see a lot of bandwidth consumption between A to B. Let's click on Follow Stream to analyze and try finding our flag:

CSAW CTF Quals 2014 - why not sftp? (200pts) writeup - 02

Do you notice something interesting in the Stream Content? No need to even try and look into the 12092 bytes of data. We can see it at the beginning, flag.png. All we have to do is use the Save As button and try extracting our data from it.

mrt:~/csaw/why_not_sftp$ ls
total 20
drwxr-xr-x  2 mrt mrt  4096 Sep 21 19:12 .
drwxr-xr-x 10 mrt mrt  4096 Sep 21 19:12 ..
-rw-r--r--  1 mrt mrt 12092 Sep 19 19:32 traffic.dmp

mrt:~/csaw/why_not_sftp$ file traffic.dmp
traffic.dmp: Zip archive data, at least v2.0 to extract

The stream content is a Zip archive, let's unzip it and find out if our file flag.png is in there:

mrt:~/csaw/why_not_sftp$ unzip traffic.dmp
Archive:  traffic.dmp
  inflating: flag.png

mrt:~/csaw/why_not_sftp$ ls
total 36
drwxr-xr-x  2 mrt mrt  4096 Sep 21 19:12 .
drwxr-xr-x 10 mrt mrt  4096 Sep 21 19:12 ..
-rw-r--r--  1 mrt mrt 12970 Sep 13 13:17 flag.png
-rw-r--r--  1 mrt mrt 12092 Sep 19 19:32 traffic.dmp

Now open the file flag.png with an image viewer. The flag is written on it.

We got our flag:

91e02cd2b8621d0c05197f645668c5c4