Ghost - Writeup

“The truth is in the static.”
A layered forensic challenge combining PCAP analysis, SSTV, and steganography — with heavy misdirection.

1) Starting Artifact — Intercepted Email

The challenge provides an email file (help.eml) containing suspicious headers and RF-style metadata.

Key narrative clues:

• “only a network capture remaining”

• “The truth is in the static”

• Numerous radio-communication parameters

• ProtonMail / Tor context (lore)

This strongly suggests signal-based hidden data inside the capture, not in the email body itself.

---

2) Follow the Lead — PCAP File

A link in the headers leads to a download of:

capture.pcap

Open in Wireshark and extract transferred files:

File → Export Objects → HTTP

Recovered artifacts include:

status avatar.jpeg profile.jpg voila.png 1.wav 2.mp3 lost.wav hint.wav idk.png ...

---

3) “Truth is in the static” → SSTV Decode

The file named status contains an SSTV transmission.

Decode using tools such as:

• QSSTV (Linux)

• RX-SSTV

• MMSSTV (via Wine)

• Online SSTV decoder

The decoded image reveals leetspeak text:

1n73rc3p7_c0nf1rm3d

This is the passphrase for the next stage.

---

4) Image Steganography — avatar.jpeg

Suspicious images are tested with steganography tools.

Use steghide with the SSTV passphrase:

steghide extract -sf avatar.jpeg

Passphrase:

1n73rc3p7_c0nf1rm3d

Extraction produces:

key.txt

Contents:

l4y3r_pr0t3c710n_k3y

---

5) Identify the Flag

Convert leetspeak:

l4y3r_pr0t3c710n_k3y → layer_protection_key

Given the challenge flag format:

0xfun{...}

The recovered key is already:

✔ Meaningful
✔ Thematically correct
✔ Directly obtained from hidden data
✔ Flag-shaped

---

🏁 Final Flag

0xfun{l4y3r_pr0t3c710n_k3y}