So I found this challenge a bit tiring. We get a lot of data sent through different protocols (ARP, MDNS, TCP, ICMP etc.) Going through all of them, I found the ICMP packets a bit strange. There were some malformed packets in the capture. Seeing the hex dump of the first 3 packets makes it clear that a GIF image’s characters are present at the 34th byte of the hexdump.
So we got the exploit. All that is needed now is to filter out the ICMP packets which have the source IP 10.136.255.127.
Let us see what those suspicious ICMP packets were:
So if you notice you are able to see GIF as you observe the highlighted spots of the above images. Now here comes the part that I have to automate using scapy. Let us write a script.
from scapy.all import * r = rdpcap("data.pcap") list1 =  for i in range(0, len(r)): if ICMP in r[i]: if "ICMP 10.136.255.127" in r[i][ICMP].summary(): #getting the correct packets by filtering w.r.t source IP d = str(r[i]) list1.append(d) # 34th byte in every packet has GIF file code f = open('FLAG.gif', 'w') f.write(''.join(list1)) f.close()
And we got a GIF image file which had the flag written inside it.
So that’s how its done. Cheers!!