Can you uncover the insider?
Challenge Submission
Unzip the given folder and there will be two files. A PCAP file and a zipped folder. First open the PCAP file in Wireshark.
What is the response message obtained from the PCAP file?
Follow the TCP scream of the traffic captured and you can see the return response.
What is the password of the ZIP file?
Looking through the TCP stream you will find a base64 encoded string under the Authorization tag.
Decode the base64 text to find the password.
Will more passwords be required?
Use the newly obtained password to open the README text file to find the answer.
What is the name of a widely-used tool that can be used to obtain file information?
We can use exiftool to find metadata of files.
What is the name and value of the interesting information obtained from the image file metadata?
The output of exiftool will indicate the technique used by the file.
Based on the answer from the previous question, what tool needs to be used to retrieve the information hidden in the file?
We can use Steghide to discover hidden information done by steganography tactics.
Enter the ID retrieved.
Use Steghide to extract hidden files. There is no password needed. The ID can be retrieved from the text file.
What is the profile name of the attacker?
After some rabbit holes I realize the name of the challenge is “Shiba Insider”. I checked my own user ID on the blue team labs portal and paste the ID that was discovered. This lead to a user.
Persecure : my learning archive 