Always open malware in a secure environment like a VM.
We will be using the REMnux distribution which is specifically made for reverse engineering.
What is the response message obtained from the PCAP file?
Let's open the insider.pcap file using Wireshark.
Let's follow the TCP stream via Follow > TCP Stream.
Answer
What is the password of the ZIP file?
The answer to the previous question told us to use our own password.
If we look at the TCP stream we can see a string sent by us that might be a password.
The string has two == signs at the end. This is an indication that the string has been encrypted using Base64.
Let's use Cyberchef to decode it.
Answer
Will more passwords be required?
We can now unzip file.zip using the redforever password.
As there are no more Zip files, we can safely say that no more password will be required.
Answer
What is the name of a widely-used tool that can be used to obtain file information?
The exiftool utility can be used to obtain file information such as the metadata.
Answer
What is the name and value of the interesting information obtained from the image file metadata?
Let's look at the file metadata using the exiftool utility as mentioned previously.
All the information is pretty standard for an image except for the Technique : Steganography field. Steganography is used to hide information in other information most notably images.
Answer
Based on the answer from the previous question, what tool needs to be used to retrieve the information hidden in the file?
The steghide tool needs to be used retrieve the hidden information.
Answer
Enter the ID retrieved.
Let's use the steghide utility to retrieve the ID.
The sf flag is used to specify the name of the stego file.
Answer
What is the profile name of the attacker?
Let's look at our own user profile.
If we look at the user profile, we can see that the user IDs are included in the URI.
What if we replace this ID with the one we retrieved: 0726ba878ea47de571777a.
