Tunneled Data (bronze, 50p)

IT department analysed this file and identified that some traffic was tunneled out of the network.
They could not identify what it was.
Can you help them with the packet capture analysis
Can you identify the tunneling protocol and decode the data?


Looking at the school-noc-dump.pcapng file with Wireshark, there are only few HTTP requests (write http in display filter). First of them is GET /decapsulate-decode-instructions. Follow → HTTP Stream.

GET /decapsulate-decode-instructions HTTP/1.1
User-Agent: curl/7.58.0
Accept: */*

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.18
Date: Sat, 24 Oct 2020 13:54:57 GMT
Content-type: application/octet-stream
Content-Length: 469
Last-Modified: Fri, 23 Oct 2020 13:37:04 GMT

At agreed time, start the packet capture on
Capture it in some file eg. capture.pcapng

then filter out the traffic, remove unnecessary characters from the dump,
create ascii from hex and base64 decode it.

We shouldn't be detected by using this method. ICMP is often allowed on firewalls and
intrusion detection systems should not alert.

tshark -r capture.pcapng -Y "icmp.type == 8" -T fields -e data | sed -n 's/^.*0000000//p' | xxd -r -p | base64 -d

Running mentioned command against provided pcap file, returns flag.

$ tshark -r school-noc-dump.pcapng  -Y "icmp.type == 8" -T fields -e data | sed -n 's/^.*0000000//p' | xxd -r -p | base64 -d
School job is finished.
There was small issue accessing the database server,
but we can continue at the local hospital where subject K is treated.
As planned will create some havoc,
so we can get some eyes off from our main mission.
The flag is: c95412dc-1fce-4a69-c420