WebNet1 picoCTF 2019 Solution

Published: April 2, 2026

Description

We found another packet capture and key file. The flag has moved - it is no longer in the HTTP headers. Download both the pcap and the key.

Download the pcap file and the RSA private key file from the challenge page.

Open the capture in Wireshark (same setup as WebNet0).

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Decrypt the TLS traffic using the key
    Observation
    I noticed the challenge provided both a pcap file and an RSA private key, which suggested the capture contained encrypted TLS traffic that could be retrospectively decrypted by supplying the server's private key to Wireshark.
    Add the provided RSA key in Wireshark's TLS preferences (Edit > Preferences > Protocols > TLS > RSA keys list). Re-open the pcap. The encrypted traffic becomes readable HTTP. Follow the TLS streams and look at the HTTP response bodies.
    Learn more

    When you follow the first TLS stream you will find a Pico-Flag HTTP header, but it reads picoCTF{this.is.not.your.flag.anymore}. That is a deliberate decoy. The challenge description hints that the flag has moved, so keep looking.

    One of the HTTP responses transfers a JPEG image (vulture.jpg). The real flag is a plain string embedded inside that image file, not in the HTTP headers.

  2. Step 2
    Export the transferred image and search it for the flag
    Observation
    I noticed the decrypted HTTP stream contained a JPEG image file (vulture.jpg) being transferred, and the challenge description said the flag had moved out of the HTTP headers, which suggested the flag was embedded as a raw string inside the image file itself.
    Use Wireshark's File > Export Objects > HTTP (or tshark --export-objects) to save the JPEG from the capture. Then run the strings command on the saved file and grep for the flag prefix. The flag appears as a plain string inside the image file.
    bash
    # Export HTTP objects with tshark (alternative to Wireshark GUI):
    bash
    tshark -r capture.pcap -o 'ssl.keys_list:0.0.0.0,443,http,picopico.key' --export-objects 'http,out'
    bash
    bash
    # Search the exported JPEG for the flag string
    bash
    strings out/vulture.jpg | grep pico

    Expected output

    picoCTF{honey.roasted.peanuts}
    What didn't work first

    Tried: Run strings on the original pcap file instead of the exported JPEG to find the flag.

    The pcap file stores raw TLS ciphertext, so strings on the pcap produces garbled binary fragments and no readable flag. The flag only becomes a plain ASCII string after the TLS layer is stripped and the JPEG payload is extracted. Export HTTP objects first, then run strings on the resulting image file.

    Tried: Use steghide to extract hidden data from the exported vulture.jpg.

    steghide expects a passphrase and looks for data hidden with its own LSB-embedding algorithm. This JPEG has no steghide-compatible payload - the flag was simply appended or embedded as a raw string, not steganographically encoded. strings finds it immediately without any passphrase or steganography tool.

    Learn more

    strings extracts printable character sequences from any binary file. Because the flag was stored as a raw ASCII string inside the JPEG data, no image-analysis tool is needed - a simple grep finds it immediately.

    This challenge demonstrates that when network traffic contains binary files, those files may themselves contain hidden data. Checking transferred files with strings or a hex viewer is a fast first step before reaching for heavier forensics tools.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{honey.roasted.peanuts}

Decrypt the TLS stream with the RSA key, export the transferred JPEG, then run strings on it to find the flag stored as a plain string inside the image file.

Key takeaway

TLS encryption protects data in transit, but only as long as the private key remains secret. When a server's RSA private key is known, tools like Wireshark can retrospectively decrypt all recorded sessions that used that key for key exchange, exposing every transferred byte including files carried in HTTP responses. This is why modern TLS deployments favor forward-secret key exchange (ECDHE) so that compromising a long-term key does not decrypt past sessions.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for Forensics

What to try next