picoCTF 2022 | Eavesdrop Write-up

Challenge description

Download this packet capture and find the flag.

Category: Forensics


Another challenge requiring us to analyze captured network packets. Let’s fire up wireshark.

Combing through the captured traffic, I found the first important clue

We have the decoding method, but what are we decoding?

Let’s keep looking.

This looks like a file being transferred.

At first, I tried to copy the text, which is the transferred file’s content, but the caused problems while decoding. I spent an hour looking for a solution before bumping into a question on stackoverflow, clearly asked by a fellow picoCTF 2022 participant, with the exact same issue. Here, I found the key to the mystery: Rather than copying the text out, I should be exporting the package bytes.

You can do this by clicking on the “Data: 536…” line and then Pressing Ctrl + Shift + X or selecting File > Extract Package Bytes to export the data into a file, which should be named file.des3

After this run the decoding command as provided in the above conversation and it should run flawlessly. The output should be our flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: