This task was really easy, 100 points gifted I would say. Basically it was a pcap file where inside there are multiple request from HTTP to SSH and DNS requests. Filtering all HTTP requests a file “rootkit.zip” file showed up. We tryed to extract it but a password was required. So analyzing further the requests applying a filter like : “ip.addr eq 10.142.0.1 and ip.addr eq 10.142.0.3) and (udp.port eq 31337 and udp.port eq 4242” one interesting stream came up:

http://img826.imageshack.us/img826/7872/cze4.png

If you look after the “6unzip” string it follow a word: “a” , then in the line after another one “l” and so on. Late you’ll find out that is the password to extract the zip. The password is “alongpassword1234” just open the archive with this to cat the flag.

Razor4x