Cyber Talents : DF : Cypher Anxiety

An image was leaked from a babies store. the manager is so annoyed because he needs to identify the image to fire charges against the responsible employee. the key is the md5 of the image

🧭 Steps followed according to the digital forensics methodology:

  1. Identification

    A suspicious file was found, originating from a children's products store, and it is suspected that it contains a leaked image. The goal is to extract this image and verify its identity by calculating its MD5 value.


  1. Acquisition

    The compressed file was uploaded using the command:

sansforensics@as: ~/DF-LAB/CyberTalents
$ wget https://hubchallenges.s3.eu-west-1.amazonaws.com/forensics/find+the+image.zip
--2025-07-28 19:21:59--  https://hubchallenges.s3.eu-west-1.amazonaws.com/forensics/find+the+image.zip
Resolving hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)... 3.5.65.153, 52.218.110.88, 3.5.68.106, ...
Connecting to hubchallenges.s3.eu-west-1.amazonaws.com (hubchallenges.s3.eu-west-1.amazonaws.com)|3.5.65.153|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2500600 (2.4M) [application/zip]
Saving to: ‘find+the+image.zip’

find+the+image.zip                      100%[=============================================================================>]   2.38M   497KB/s    in 5.6s    

2025-07-28 19:22:06 (436 KB/s) - ‘find+the+image.zip’ saved [2500600/2500600]

I will find out the file type first , Then I unzip the file :

sansforensics@as: ~/DF-LAB/CyberTalents
$ ls
find+the+image.zip

sansforensics@as: ~/DF-LAB/CyberTalents
$ file find+the+image.zip 
find+the+image.zip: Zip archive data, at least v2.0 to extract

sansforensics@as: ~/DF-LAB/CyberTalents
$ unzip find+the+image.zip 
Archive:  find+the+image.zip
  inflating: find the image.pcap     
   creating: __MACOSX/
  inflating: __MACOSX/._find the image.pcap

After confirming here also we can use Wire Shark :

sansforensics@as: ~/DF-LAB/CyberTalents
$ ls
'find the image.pcap'   find+the+image.zip   __MACOSX
sansforensics@as: ~/DF-LAB/CyberTalents
$ file 'find the image.pcap'
find the image.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65535)

✅ The goal now: Extract an image from within the PCAP. We know that the file contains a captured network containing a leaked image. We need to extract it and then calculate the MD5.

sansforensics@as: ~/DF-LAB/CyberTalents
$ wireshark 'find the image.pcap'

We opened the find the image.pcap file using Wireshark.


  1. Preservation

    The original files were preserved without modification or alteration, and operations were performed on copies only to ensure the integrity of the evidence.


  1. Analysis

    ✅ Opening a PCAP file using Wireshark:

From Statistics → Protocol Hierarchy, we found the presence of data within TCP.

We traced the TCP Stream and found a human conversation with a file transfer plan :

The conversation revolved around using the cryptcat tool with the password: P@ssawordaya.

Someone had set up a listen on port 7070 in preparation for receiving the file.

It turned out that there was a human conversation that included a plan to send a file using the cryptcat tool and the password:

P@ssawordaya

The goal now:

Extract the file sent via port 7070 :

tcp.port == 7070

Follow TCP Stream Click on any packet that appears.

Then from the menu, select:

Right Click → Follow → TCP Stream

A window will appear containing binary data—most likely an image :

Saving Raw Data From the TCP Stream window, make sure Raw is selected.

Then choose Save As and save the file :

leak_img.raw

File Type Analysis After saving the raw file, return to Terminal and use:

sansforensics@as: ~/DF-LAB/CyberTalents
$ file leak_img.raw 
leak_img.raw: data

sansforensics@as: ~/DF-LAB/CyberTalents
$ stat leak_img.raw 
  File: leak_img.raw
  Size: 117382        Blocks: 232        IO Block: 4096   regular file
Device: 802h/2050d    Inode: 3150104     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/sansforensics)   Gid: ( 1000/sansforensics)
Access: 2025-07-28 19:44:29.142461763 +0000
Modify: 2025-07-28 19:43:05.020581269 +0000
Change: 2025-07-28 19:43:05.020581269 +0000
 Birth: -

The file was saved successfully and its content is about 117 KB, but it currently only appears as data (i.e. its type is not automatically recognized).

Manually verify file type using xxd And hexdump :

And Find signatures of popular files :

File TypeHex SignatureASCII
JPEGff d8 ffÿØÿ
PNG89 50 4e 47 0d 0a 1a 0a.PNG....
GIF47 49 46 38 39 61GIF89a
PDF25 50 44 46%PDF
sansforensics@as: ~/DF-LAB/CyberTalents
$ xxd leak_img.raw | head -n 10
00000000: ffb8 6fa6 6b2b c05c e469 23f2 8821 38aa  ..o.k+.\.i#..!8.
00000010: badf 2986 3e27 8373 af87 f97f 03b3 c004  ..).>'.s........
00000020: ac09 98d9 3223 30ab 1b49 f9e3 01bf 2df2  ....2#0..I....-.
00000030: 3a52 ca50 5fb0 f2fe 8d46 0d32 0c67 a693  :R.P_....F.2.g..
00000040: 822e 6f0b 10ed 615d 0c5f 91d9 a3ed 9d43  ..o...a]._.....C
00000050: 61c0 c539 b37c 6514 aa86 3ae9 5b1e d66b  a..9.|e...:.[..k
00000060: ee7f 82e8 dbb5 1af7 33a5 da74 6505 47a9  ........3..te.G.
00000070: 6e4b 964c 6452 d038 38e7 5cc8 84ef 2554  nK.LdR.88.\...%T
00000080: 5b91 23b1 41c7 823c e9c1 e2e5 d9d0 e115  [.#.A..<........
00000090: fc9b b447 158b 1d6a cfd1 7ea4 d07f daf8  ...G...j..~.....

sansforensics@as: ~/DF-LAB/CyberTalents
$ hexdump -C leak_img.raw | head -n 10
00000000  ff b8 6f a6 6b 2b c0 5c  e4 69 23 f2 88 21 38 aa  |..o.k+.\.i#..!8.|
00000010  ba df 29 86 3e 27 83 73  af 87 f9 7f 03 b3 c0 04  |..).>'.s........|
00000020  ac 09 98 d9 32 23 30 ab  1b 49 f9 e3 01 bf 2d f2  |....2#0..I....-.|
00000030  3a 52 ca 50 5f b0 f2 fe  8d 46 0d 32 0c 67 a6 93  |:R.P_....F.2.g..|
00000040  82 2e 6f 0b 10 ed 61 5d  0c 5f 91 d9 a3 ed 9d 43  |..o...a]._.....C|
00000050  61 c0 c5 39 b3 7c 65 14  aa 86 3a e9 5b 1e d6 6b  |a..9.|e...:.[..k|
00000060  ee 7f 82 e8 db b5 1a f7  33 a5 da 74 65 05 47 a9  |........3..te.G.|
00000070  6e 4b 96 4c 64 52 d0 38  38 e7 5c c8 84 ef 25 54  |nK.LdR.88.\...%T|
00000080  5b 91 23 b1 41 c7 82 3c  e9 c1 e2 e5 d9 d0 e1 15  |[.#.A..<........|
00000090  fc 9b b4 47 15 8b 1d 6a  cf d1 7e a4 d0 7f da f8  |...G...j..~.....|

This is not a standard signature for any known file type (JPG, PNG, GIF, PDF, etc.). This suggests two possibilities:

✅ Use the cryptcat tool to decrypt.

Steps: Install the cryptcat tool (if it isn't installed):

sudo apt install cryptcat

Run cryptcat to decrypt the raw file:

cryptcat -k "P@ssawordaya" -x < leak_img.raw > decrypted_output

It was borrowed.. ⚠️ Use -x to decrypt directly from stdin, and -k for the password

🔻 The cryptcat tool does not support the -x option as you saw, because it is not the same as openssl

✅ Realistic solution: Cryptcat doesn't use complex encryption.

It simply uses XOR encryption, and it can be decrypted using manual tools (if it uses an XOR key). But in our case, they most likely used Cryptcat with normal encryption using a password.

🔐 Does Cryptocat use XOR encryption? No, it relies on Blowfish encryption in older versions, or Twofish in some other versions, and is done by generating a key from the password using a hash function.

When using:

cryptcat -l -p 7070 -k "P@ssawordaya"

The program generates a key derived from the password (usually using MD5) to encrypt/decrypt the data using an algorithm such as Blowfish.

Therefore, decryption cannot be done simply using XOR tools such as xxor or cyberchef XOR.

⚠️ Important:

📌 As long as the conversation clearly indicates that they used cryptcat, and the password is known, the best and fastest method is.

✅ Try running cryptcat as a local server/client We simulate what happened on the network ourselves :

🛠️ 1. Open two terminals:

The first terminal (which is the Listener — as if you were the victim):

sansforensics@as: ~/DF-LAB/CyberTalents
$ cryptcat -l -p 7070 -k "P@ssawordaya" > final_image

Second terminal (which is the sender):

sansforensics@as: ~/DF-LAB/CyberTalents
$ cat leak_img.raw | nc localhost 7070

✅ Once you send the file from the second terminal, it will be in the first terminal inside the final_image file.

🧪 After that:

sansforensics@as: ~/DF-LAB/CyberTalents
$ file final_image 
final_image: JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2012:07:30 17:31:00], baseline, precision 8, 1600x1200, components 3

Rename it and open it:

sansforensics@as: ~/DF-LAB/CyberTalents
$ mv final_image img.jpg

sansforensics@as: ~/DF-LAB/CyberTalents
$ xdg-open img.jpg

To calculate the required value for the challenge :

sansforensics@as: ~/DF-LAB/CyberTalents
$ md5sum img.jpg 
3beef06be834f3151309037dde4714ec  img.jpg

  1. Reporting 🎯

    Objective: Extract a leaked image hidden within a pcap file sent via cryptcat.

    🔐 Encryption Tool: Cryptcat

    🔑 Password Used: P@ssawordaya

    📤 Output File: img.jpg

    🧮 Final MD5 Value:

3beef06be834f3151309037dde4714ec

💬 "Control the code, and you control the world."

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber “)).

0
Subscribe to my newsletter

Read articles from Abdelwahab A. Shandy 🦅 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Abdelwahab A. Shandy 🦅
Abdelwahab A. Shandy 🦅

Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansion—ready to embrace the future of technology! 🌇 Let’s connect, collaborate, and explore the vast world of tech together!