Challenge Description

Danish (original)

Vi har opsnappet noget netværkstrafik, der tyder på, at Jætterne har haft adgang til Asgårds filservere og har exfiltreret filer. Vi frygter, at nogle af disse filer indeholder følsomme oplysninger, som Jætterne vil bruge til at afpresse Thor.

Denne situation er kritisk, og vi har brug for din hjælp til at finde ud af, hvad der er blevet stjålet, før Jætterne kan gennemføre deres plan.

English (from chatgpt)

We have intercepted some network traffic suggesting that the Giants have had access to Asgard’s file servers and have exfiltrated files. We fear that some of these files contain sensitive information that the Giants will use to blackmail Thor.

This situation is critical, and we need your help to determine what has been stolen before the Giants can carry out their plan.

File

We are also given the following file:

Solution

Unzip the file, we can see it contains a pcap file:

$ 7z x capture.7z
[expunged for readabilty]

$ ls
capture.7z  capture.pcap

Opening the pcap in wireshark we can see a lot of HTTPS traffic (TCP, TLS and QUIC more specifically), but scrolling through we can also spot some FTP traffic. So I exported the FTP files using the File > Export Objects > FTP-DATA menu option and saving them all to a directory.

$ ls
AsgardMap.jpg  flag.txt  ThorMemes.zip  ThorTheKisser.jpeg  Very_Secret.docx

Looking through I found the flag in ThorTheKisser.jpeg:

The flag is: FDCA{FTP_15_N07_S3cur3}