// BTLO · Network Forensics

Shiba Insider

BTLO Easy Wireshark

proof of completion → challenge page → ← all labs

Overview

A steganography-focused challenge combining PCAP analysis, credential extraction, and hidden data recovery. The investigation follows a chain: decode credentials from HTTP traffic → crack a ZIP → extract metadata from an image → retrieve a hidden payload using steghide → identify the attacker via their BTLO profile.

PCAP Analysis

Opening the PCAP in Wireshark reveals a small capture containing a single HTTP GET request. Following the HTTP stream shows the server response:

use your own password

Inspecting the request headers more closely reveals a Base64-encoded Authorization header — standard HTTP Basic Auth format. Decoding it:

echo "base64string" | base64 -d

Returns the credentials: fakeblue:redforever

ZIP Extraction

Using redforever as the ZIP password extracts the archive contents — an image file and a README. The README confirms no further passwords are needed for the remainder of the challenge.

Metadata Analysis — Exiftool

Running Exiftool against the extracted image reveals embedded metadata:

bash

exiftool image.jpg

Among the standard fields, one stands out:

Technique: Steganography

This is a direct hint — data has been hidden inside the image file itself.

Steganography Extraction — Steghide

With steganography confirmed via the metadata, steghide is the appropriate extraction tool:

bash

steghide extract -sf image.jpg

The hidden payload is extracted, revealing an ID string: 0726ba878ea47de571777a

Attacker Identification

The challenge name “Insider” is the key — this ID corresponds to a BTLO user profile. Searching the ID on the BTLO platform identifies the attacker’s profile as bluetiger.

What is the response message obtained from the PCAP file?

Click flag to reveal use your own password

What is the password of the ZIP file?

Click to reveal answer redforever

Will more passwords be required?

Click flag to reveal no

What is the name of a widely-used tool that can be used to obtain file information?

Click to reveal answer Exiftool

What is the name and value of the interesting information obtained from the image file metadata?

Click flag to reveal Technique:Steganography

Based on the answer from the previous question, what tool needs to be used to retrieve the information hidden in the file?

Click to reveal answer steghide

Enter the ID retrieved.

Click flag to reveal 0726ba878ea47de571777a

What is the profile name of the attacker?

Click to reveal answer bluetiger