In this problem, we were given a large pcap (packet capture) file to analyze. The hint that was provided was “Sometimes the answer is immediately obvious, sometimes it’s obscured.” The pcap file logged a TCP stream between two computers.
Wireshark has a feature to follow a TCP stream and output the sent data as ascii. Most of the data in the stream was consecutive 0s but a sizable block of text with a familiar appearance popped up in the sea of nothingness.
A base64 encoded string was standing out as one of the larger pieces of data in the stream. Decoding it gave us our answer.
Our solution to this problem is mostly due to good luck but we got it!