If you look at the presumed PcapNg file you can see it is certainly broken because you can't open it with Whireshark and the file command shows it as raw data.
1 2 3
┌─[root@parrot]─[~/CTF/CSAW/2016/Qualification/50-kill-forensics] └──╼ #file kill.pcapng kill.pcapng: data
It's certainly more than just a wrong header signature so we'll use the pcapcfix tool to fix this.
As there is no more header we have to use --pcapng option because default behaviour of the tool is to repair as a simple pcap file.
This is mainly a SFTP exchange so it may be interesting to look at downloaded filess with this filter: Filter ftp.request.command == STOR.
Filter show us 7 downloaded files at frame 53, 130, 693, 760, 813, 2325 and 2480. 5 jpg files (image) and 2 mp4 files (video).
So let's extract images first. For that we need the jpg header file signature. It can be found here on Wikipedia.
1 2 3
JPEG RAW `FF D8 FF DB` JFIF begin with `FF D8 FF E0` EXIF `FF D8 FF E1`
The one interesting for us is JFIF.
Press CTRL + F, select Hex value as Display filter.
Note that it's not necessary as the begining of the stream is not far after the STOR request command.
We won't need to extract mp4 file, flag is in one of the images.
Now there is two way to do it: the smart way and the dumb way.
Dumb way: see the flag in the ASCII representation of the frame 696 (girls.jpg). Ok it works, but if the flag have be not so badly hidden you won't have seen it, for example if it was display on the image.
Smart way: Let's extract images.
Now that we know where are the files stream, we can extract files as mention:
Right click on the first frame of the stream.
Click on Follow TCP Stream.
Select Raw representation.
Save it on your disk.
Do the same with next images.
We can note that all images are seeable execpt girls.jpg. So what? A broken file again? Not really, if you want to see the file header in order to fix it, you discover that the flag was just injected in the file header.