You may be asking yourself, “how many of these packet capture CTFs is he going to post?”

The answer is Yes.

Anyway, this one is called PcapPoisoning.

Seems simple enough, a high percentage of solves but not the best approval rating. Let’s dive in.

Yet again, this is legitimately a pcap file, so that’s some good news. Let’s pop her open with Wireshark and see what we can see.

Well, that’s a first for these activities; the very first entry is a malformed IPv4 packet. For now, I’m going to stick to what I know and follow that DNS stream we see on line 5.

It seems like that’s the correct move; what does it mean by close, though?

Oh, it meant I just had to scroll to the end of all those FTP-DATA packets to get to the next TCP stream. There’s the flag. All I have to do is copy this packet as Hex + ASCII from Wireshark, paste it into Sublime, and remove the little bits of hex before the flag ASCII.

Got it!

I’m not sure why this one doesn’t have a very high approval rating. All you have to do is scroll through the packets and just, kind of, look at them.