Description
We found another packet capture and key file. The flag has moved - it is no longer in the HTTP headers. Download both the pcap and the key.
Setup
Download the pcap file and the RSA private key file from the challenge page.
Load the key into Wireshark via Edit > Preferences > TLS > RSA Keys (same as WebNet0).
Solution
Walk me through it- Step 1Decrypt the TLS traffic using the keyAdd the provided RSA key in Wireshark's TLS preferences. Re-open the pcap. The encrypted traffic becomes readable HTTP. Follow the TLS streams and look at the HTTP response bodies.
Learn more
The flag is no longer in the HTTP headers. Look at what files are being transferred inside the decrypted streams. One stream transfers an image file, and the flag is hidden in that image's EXIF metadata.
- Step 2Extract the transferred image and read its EXIF metadataUse Wireshark's File > Export Objects > HTTP to save the image from the capture. Then run exiftool on the saved image to dump all metadata fields. The flag is stored as the value of one of the EXIF fields.bash
# After exporting the image from Wireshark Export Objects:bashexiftool <exported_image>Learn more
exiftoolreads metadata embedded in image files including EXIF, IPTC, and XMP. Check fields like Artist, Comment, Copyright, and Description for the flag value.This challenge demonstrates a key forensics principle: when network traffic contains binary files, those files may themselves contain hidden data. Always examine transferred files with appropriate tools, not just the HTTP headers.
Flag
picoCTF{...}
Decrypt the TLS stream with the RSA key, export the transferred image, then run exiftool on it to find the flag in the EXIF metadata.