
Opening the packet capture file `log.pcap` in Wireshark, we see a conversation between `192.168.1.30` and `192.168.1.205` through ICMP (ping), along with some fragmented IPv4 packets.ġ. We see mentions of files `flag.zip`, `pass.txt`, ` download.py`, and `sslkeylogfile`, as well as commands such as `id`, `python3` and `xargs` being run. P7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,32 bits,1 CPU LE) `$ strings log.pcap | sort | uniq | grep. ` to display only lines with length greater or equal to 6: Running `strings` against the `.pcap` file, we pipe the output to `sort` and `uniq` to only display unique entries, then `grep.

We are provided with a `` archive from the challenge description, which we can decompress using `xz` and `tar` as so: Each packet has an unusual timestamp and it's kinda messy." Hint #2: "Even so, our captured logs aren't precise enough. Hint #1: "When the incident happened, the attacker got into our `IP over ICMP` tunnel network to access an `HTTP/2` web-server with `SSL` enabled." There's an indication that the robber tried to steal some items which are considered as confidential assets.

A robber broke into our vault in the middle of night.
