picoCTF Solutions
picoCTF 2021ForensicsMedium

Trivial Flag Transfer Protocol picoCTF 2021 Solution

Published: April 2, 2026

Description

Figure out how they are communicating, then find the flag. Download tftp.pcapng.

Setup

Download tftp.pcapng.

bash
wget <url>/tftp.pcapng

Solution

Walk me through it
  1. Step 1Export all TFTP objects from the capture
    Open tftp.pcapng in Wireshark, then File > Export Objects > TFTP. You'll recover instructions.txt, plan, picture1.bmp, picture2.bmp, picture3.bmp, and program.deb.
    bash
    wireshark tftp.pcapng
    Learn more

    TFTP packet primer. TFTP runs over UDP/69 with a tiny opcode-driven format:

    • 1 = RRQ (read request): opcode | filename\0 | mode\0
    • 2 = WRQ (write request): same shape as RRQ
    • 3 = DATA: opcode | block# | up to 512 bytes
    • 4 = ACK: opcode | block#
    • 5 = ERROR: opcode | errcode | message\0

    Filename and mode in RRQ/WRQ are NUL-terminated ASCII strings. Because everything is plaintext, Wireshark's Export Objects walks the DATA blocks and reassembles complete files. See Wireshark for CTF for the broader protocol-analysis playbook.

  2. Step 2Decode the text files with ROT13
    instructions.txt and plan are ROT13. Decode them to learn the steg tool (steghide) and the passphrase. Look for the passphrase on a clearly-marked line: often the last line of the file or a label like 'password:' or 'passphrase:'.
    bash
    tr 'A-Za-z' 'N-ZA-Mn-za-m' < instructions.txt
    bash
    tr 'A-Za-z' 'N-ZA-Mn-za-m' < plan
  3. Step 3Extract the hidden data from picture3.bmp
    Use steghide on picture3.bmp with the recovered passphrase (DUEDILIGENCE in the canonical solve). The output file contains the flag.
    bash
    steghide extract -sf picture3.bmp -p DUEDILIGENCE
    bash
    cat flag.txt
    Learn more

    Steghide hides data inside image and audio carriers by tweaking pixel/sample values; the payload is encrypted with a passphrase. -sf selects the stego file and -p passes the passphrase. See steganography tools for the broader toolkit (zsteg for PNG LSB, binwalk for embedded archives, stegsolve for visual bit planes).

    This challenge chains TFTP recovery, ROT13 decoding, and steghide extraction. Each clue is hidden in the previous step's output, a common multi-stage pattern in forensics CTFs.

Flag

picoCTF{...}

TFTP transfers files without encryption: export all objects from the capture, decode the ROT13 instructions to recover the steghide passphrase, and pull the flag out of picture3.bmp.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Forensics

Related reading

What to try next