Evil Corp's Child 1

Challenge:

What is the MD5 hash of the Windows executable file?

NOTE: If you extract any files within this challenge, please delete the file after you have completed the challenge.

Solution:

I begin all CTF challenges involving a PCAP by utilizing Zeek, with a custom CTF focused script, for initial analysis.

$ /opt/zeek/bin/zeek -Cr ECorp.pcap ~/Tools/ctf_pcaps.zeek 

The challenge description states that I should be looking for a file so I check to see if any were extracted by Zeek:

$ ls extract_files/

HTTP-1595629994.exe

Only one file was extracted from the PCAP so I go ahead and calculate its MD5 hash:

$ md5sum extract_files/HTTP-1595629994.exe 

a95d24937acb3420ee94493db298b295  extract_files/HTTP-1595629994.exe

The complete flag is flag{a95d24937acb3420ee94493db298b295}.