Hacker stole the flag through the SSL protocol.
(pcap download link)
SCTF{H3llo_Cov3rt_S5L}
- If you see the packets, you can find out what many SSL "Client Hello" packets are sent from 192.168.0.107 to 192.168.0.128 server.
- Filter the packets with rule "(src host 192.168.0.107 && dst host 192.168.0.128) || (src host 192.168.0.128 && dst host 192.168.0.107)"
- Picture files are transferred by using SSL covert channel ("Random" field in Secure Socket Layer). And One file was transferred at each session.
- And sometimes, when the server responds '0' (not '1'), then the client resent the previous message.
- Make file-extractor by considering above points.