 What's up YouTube? This is a video write-up for the challenge Thunder from Codefest CTF 2018. Challenge prompt here is this individual was downloading a secret from the internet when it got struck by Thunder, which led it to pieces, helping recover the secret. It gives us a file to download, which I've already got downloaded here in our directory. It is a PCAP file or packet capture, so we can open it up in Wireshark. If you don't have Wireshark installed, if you're on Linux, you can just sudo apt to get install it, or whatever package manager you particularly need to get your program up and running apt or aptitude for Ubuntu and Ubuntu and Ubuntu and Debian stuff. So we see us making a get request HTTP get request to download this flag.jpg file. It gives us the server response with a portion of the file, but not all of it. So we can actually check out more of the packets that are rolling through here. And all these black segments are telling us that, well, it's getting segmented into different fragments. So we don't have a full image that we can actually particularly pull from here. A lot of the packets are out of order or broken, et cetera, following the challenge prompt. I tried to export objects, all the HTTP things, and you can see there are portions of the JPEG images in here. And they actually have some duplicate sizes. So we may be seeing multiple requests to that get flag and just coming in different segments. If we wanted to, we could save them and try to piece them together and create a folder for them called pieces. But again, if we check this out, we won't be able to particularly view any of them without manually putting them all together, which would kind of suck or out of order. But again, you've got to keep track of these duplicates, and I wasn't able to get it right even just in testing. Thankfully, some of them are recognized by the flag command as a JPEG image. But again, it's only a portion of the file, just the very, very star, just the magic bytes. So it'll trick the file command, but it's not a real image for us. So whatever, I tried some other low hanging fruit, some other tools we could throw it at. So TCP, sorry, TCP flow to try and extract other packages or files out of it that it could reorganize and put together. TCP flow will give us files that come in the conversation from one IP address to the next and like the source and destination. And you can see a lot of these are in fact, like either get requests or actual content that's maybe coming out. Just trying to grab some of these as an example. Some of them will include, okay, the HTTP request or the actual server responding with some data, maybe a portion of a flag, et cetera, a portion of the image and I'm going to type reset just to fix my terminal here. Reset, okay. But that wouldn't work for us either. So I tried, okay, what other tools can I try this with? And I went for BinWalk just for regular forensics, see if it could carve a file out of it. I tried to extract with Thunder.pcap and it could actually track down some JPEG image data, but it wouldn't extract anything out. I didn't see that underscore Thunder.pcap like extracted output file or folder. So I tried Foremost, just more tools, see what we could do with it. Foremost was actually able to process it and it did give me an output directory. So I would change directory into that. I saw that it could actually get some JPEG files out of it. So I ran, I have known to open them up and I got some results. The flag is AP is amazing. And whatever, maybe the image is corrupted or whatever the case may be, but we were able to actually determine the flag and see it out of that. So awesome. I guess some low-hanging fruit, simple like our regular knee-jerk reaction go-to challenged like tools were successfully able to find the flag for us. So not a whole lot there, no tricks. Just checking out what we have to work with, doing our own enumeration reconnaissance and running through our background check of use the tools that we know. Quick shout-out to the people that support me on Patreon. Thank you guys so much. I cannot say it enough. $1 a month or more on Patreon will give you a special shout-out just like this at the end of every video. $5 or more on Patreon will give you early access to everything that we release on YouTube before it goes live because I normally record in bulk and YouTube gradually release stuff on a schedule. If you did like this video, please do like, comment, and subscribe. Link in the description is to join our Discord server. Please come and hang out. It's an awesome community of CTO players, programmers, and hackers. If you want to hang out with me or other cool people, that's the place to do it. We'll be tackling ICTF and NOC CTF and other upcoming competitions or capture the flag games just as a whole team. So it's crazy, crazy cool. Thanks so much, guys. Thanks for watching. I love you. Hope to see you in the next video. Hope to see you on Patreon. All right. I'm going to end the video now. Press the stop record button. Pressing the ramp.