- 流量包中的网络连接对解题没有帮助 The network connection in pcap is not helping to the challenge
- 不需要访问流量里任何一个的服务器地址，所有数据都可以从流量包里直接提取 Do not need to connect the network, every data can be extracted from the pcap
- In the burst test point of compressed packet password, the length of the password is 6, and the first two characters are "D" and "E". 压缩包密码暴破考点中，密码的长度为6位，前两位为DE。
Examination point：Traffic Analysis,RAR Password burst and other steganography methods.
First trace HTTP and find that the person who uploaded the question uploaded jpg to /test/upload_file.php. A total of 7 jpg files were uploaded.
Extract all jpg pictures from the traffic package. The last jpg is a link to a google drive.
Inside is a zip file containing a docx document.
There is no flag in the document. But docx is actually a compressed file, try to modify it to a zip file and then open it.
We found a compressed package, but it was encrypted. Before the hint was released, I thought the ssh key in the traffic packet (pcap) was the decompression password. You can find the record of ssh key modification in the front of pcap.
Blast to get the password:
DE34Q1.Unzip to get a jpg picture, there is almost no clue.
Put into winhex analysis, you can find a rar compressed package hidden in jpg. I have tried to use binwalk and foremost separation. Therefore, I manually separated the compressed package.
If you use common compression software such as bandizip and winrar, you can only get 3 files. None of these three files is the final flag.
If you are using 360压缩, you will get 4 files, one of which contains the flag.This was discovered by my teammates.
If you don't know 360压缩, continue to put rar into winhex analysis. The fourth file ffffllll.txt can be found at the end of the file.（You may find that 666.jpg is actually a png picture. But it seems useless.）
A string was found in front of this ffffllll.txt: STM. It is the identifier of NTFS alternate data stream in the rar file.
For how to read STM content(flag), please click here.ilovectf