PicoCTF Chronicles: Packet Analysis

Hey there folks, I’ve decided to do a full write-up on a packet capture analysis exercise from PicoCTF. This won’t be just an explanation of how to get to the flag, but a sort of play-by-play of my thought process. The exercise in question is called “wireshark twoo twooo two twoo…”

Not a lot to go on here, other than “can you find the flag?” and a download link for a pcapng file. I’m going to resist using the hints, for now, just out of personal hubris.

After using wget to download the file into my CTF folder, I used the file command just to verify that the extension was telling the truth. It was.

I tried to use a shortcut and use strings to grep out the flag because I know it always starts with picoCTF. Cheating did not work in my favor here, as there are false flags all over the file. Darn.

So, this is what Wireshark looks like when we first open the pcapng file. The beginning of the file looks normal, we see the three-way TCP handshake and all the normal information that comes with it. What’s different from any previous packet capture CTFs I’ve done, though, is that the traffic isn’t only TCP/UDP. There is TLS traffic here too, which means encryption; I don’t want to explore that until it’s a last resort.

Yep, confirmed, all those false flags were sent using HTTP and in plaintext. We’re going to have to get somewhat creative to find the real flag.

Look at all these DNS requests, to a bunch of subdomains (that don’t exist) of URL reddshrimpandherring.com. That website doesn’t exist and curling the URL does nothing, so we’ll have to look at the actual packets for clues.

Most of these DNS requests go to and from 8.8.8.8 but a few of them instead are to and from 18.217.1.57. I’m going to filter just those and see if anything makes sense.

At the top, you can see the filters we used. We set it to just DNS protocol and with the destination IP being the one mentioned above. A lot of the subdomains are repeating, and because these CTFs like to encode information as base-64, I’ll just take a shot at slamming all those strings together and converting them from base-64 to ASCII.

Well, okay. When doing these CTFs, it’s important to remember that so much of this stuff gets base64 encoded just to obfuscate it to the human eye. Instead of scanning for the picoCTF string we want, we have to just drill down into where the flag might actually be, and then apply some fundamentals to where we got.

I can see why people don’t like this one. Putting all those strings together from wireshark and decoding them is not very intuitive. But, packet capture analysis doesn’t really feel intuitive until you do it a bunch, already.

Stay tuned for the next chapter of CTF Chronicles!