The download attachment is a data package after decompression. Wireshark opens and analyzes it. Obviously, this is a file upload data package. Analysis of the data package content:
Obviously, it is a file upload data package.
Then look at what data he uploaded:
Obviously, he uploaded a picture of steghide.jpg.
Then we can try to restore the picture in the data package to the data package of the uploaded picture.
Specify the upload traffic session, change the displayed and saved data to the original data, and then save it as: steghide.jpg
Then use WinHex to restore the uploaded picture from the saved original file.
Open the previously saved steghide.bin with WinHex, you can see that the file contains HTTP request information and our picture information, as well as the tail information at the end of the file. What we need to do is to determine the original information head and tail of the picture file, and remove the extra part.
Back in Wireshark, you will see the header part of the picture in our data stream.
There are two newline characters after Content-Type: image/jpeg. In the original file, the newline character is represented by hexadecimal as "0D0A". Because there are two, we search for "0D0A0D0A" in hexadecimal, followed by The part indicates the beginning of the picture.
You can find the second "0D0A0D0A", the latter part represents the beginning of the picture.
At this time we need to remove the part above the picture. Click alt+1 at the offset of 00000000 to indicate the start of the block selection.
Click alt+2 at the last 0A of the "0D 0A 0D 0A" we found. It means the end of the block selection. At this time, we selected the extra part before the picture.
Confirm the deletion of redundant headers in the file.
Back in wireshark, let's look at the tail part after the picture is transferred. As you can see, this time it is a newline character 0D0A, followed by some end-of-file marks "-------------".
Delete them in the original file as well.
At this time, our file is only the content of the original picture, save the file as steghide.jpg.
Then here is the ordinary steganography. According to the file name of steghide.jpg, you can also know that it should be the steghide file hidden. There is no built-in kali, you need to download it yourself:
apt-get install steghide
Check if there is any embedded file information in the picture:
steghide info steghide.jpg
Password verification is required here, the password is 123456. You can see that there is a hidden flag.txt file inside.
Then extract the hidden files in the picture, you need to enter the password again.
steghide extract -sf steghide.jpg
Get the flag:
flag{
tell_me_y0u_like_it}