So I found this challenge a bit tiring. We get a lot of data sent through different protocols (ARP, MDNS, TCP, ICMP etc.) Going through all of them, I found the ICMP packets a bit strange. There were some malformed packets in the capture. Seeing the hexdump of the first 3 packets makes it clear that a GIF image's characters are present at the 34th byte of the hexdump.
So we got the exploit. All that is needed now is to filter out the ICMP packets which have the source IP 10.136.255.127.
The highlighted byte in the picture G
The highlighted byte in the picture I
The highlighted byte in the picture F
After analyzing the first 5 packets and combining the data at the 34th byte gives me GIF89
Then run a simple python script using scapy thats all. Just to know properly of what's going on, please analyze every line of code and then run the complete script.
from scapy.all import *
r = rdpcap("data.pcap")
list1 = []
for i in range(0, len(r)):
if ICMP in r[i]:
if "ICMP 10.136.255.127" in r[i][ICMP].summary(): #getting the correct packets by filtering w.r.t source IP
d = str(r[i])
list1.append(d[34]) # 34th byte in every packet has GIF file code
f = open('FLAG.gif', 'w')
f.write(''.join(list1))
f.close()Then we get a .GIF file with the flag written.
Well that was some challenge!
Cheers!!!