This is mainly a SFTP exchange so it may be interesting to look at downloaded filess with this filter: Filter ftp.request.command == STOR.
Filter show us 7 downloaded files at frame 53, 130, 693, 760, 813, 2325 and 2480. 5 jpg files (image) and 2 mp4 files (video).
So let's extract images first. For that we need the jpg header file signature. It can be found here on Wikipedia.
1 2 3
JPEG RAW `FF D8 FF DB` JFIF begin with `FF D8 FF E0` EXIF `FF D8 FF E1`
The one interesting for us is JFIF.
Press CTRL + F, select Hex value as Display filter.
Note that it's not necessary as the begining of the stream is not far after the STOR request command.
We won't need to extract mp4 file, flag is in one of the images.
Now there is two way to do it: the smart way and the dumb way.
Dumb way: see the flag in the ASCII representation of the frame 696 (girls.jpg). Ok it works, but if the flag have be not so badly hidden you won't have seen it, for example if it was display on the image.
Smart way: Let's extract images.
Now that we know where are the files stream, we can extract files as mention:
Right click on the first frame of the stream.
Click on Follow TCP Stream.
Select Raw representation.
Save it on your disk.
Do the same with next images.
We can note that all images are seeable execpt girls.jpg. So what? A broken file again? Not really, if you want to see the file header in order to fix it, you discover that the flag was just injected in the file header.