A write-up of the “MD5” network covert-channel pcap analysis challenge from 5Charlie CTF.
MD5 - Challenge
A file was exfiltrated over an unencrypted protocol. What is the MD5 hash of the exfiltrated file?
MD5 - Solution
This is a small pcap and most of the traffic is going to
Let’s have Wireshark focus in on that traffic and look for anything strange.
That’s some interesting DNS traffic. I’d be willing to bet the file is in those DNS subdomains. Let’s pull it out with some tshark parsing.
I also appended
| xclip -selection clip to the end so that I could paste it right from my clipboard into CyberChef.
CyberChef immediately identifies and suggests to convert it from Hex and render as an image.
Adding the “MD5” recipe to CyberChef gives us our flag.