2014 CSAW Qualifying CTF - Forensics 200 A

Written by: Justin G.

For this challenge knowing out to move about in Wireshark is pretty vital.
After opening up traffic-5.pcap the first thing I did was filter for ftp traffic.

After filtering I see that there was a successful login using the username forensics, so I felt like I was on the right track.

It then appears that a file called /files/file.zip was downloaded. I think I want that file.

After clearing my filter I right clicked on one of the FTP-DATA packets and followed the TCP Stream.

Then I saved off that stream and called it file.zip.

After unzipping the file I had a file called flag.png. I guess I should probably open it.