picoCTF Solutions
picoCTF 2021ForensicsMedium

Trivial Flag Transfer Protocol

Published: April 2, 2026

Description

Figure out how they are communicating, then find the flag. Download tftp.pcapng.

Setup

Download tftp.pcapng.

wget <url>/tftp.pcapng

Solution

  1. Step 1Export all TFTP objects from the capture
    Open tftp.pcapng in Wireshark. Go to File > Export Objects > TFTP. Save all files. You will recover two text files (instructions.txt and plan) and three BMP image files (picture1.bmp, picture2.bmp, picture3.bmp), plus a program.deb installer.
    wireshark tftp.pcapng
    Learn more

    TFTP (Trivial File Transfer Protocol) is a simple, lightweight UDP-based file transfer protocol with no authentication and no encryption. It is used in legacy environments for booting diskless systems and updating firmware. Because all TFTP transfers are in plaintext, Wireshark can fully reconstruct every file transferred during the capture session using the Export Objects feature.

  2. Step 2Decode the text files with ROT13
    The text files contain ROT13-encoded instructions. Decode them to reveal: the tool being used is steghide, and the password is DUEDILIGENCE. The program.deb file confirms steghide is the steganography tool.
    cat instructions.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
    cat plan | tr 'A-Za-z' 'N-ZA-Mn-za-m'
  3. Step 3Extract the hidden data from picture3.bmp
    Use steghide to extract hidden data from picture3.bmp using the password DUEDILIGENCE recovered from the decoded instructions. Steghide outputs the embedded file, which contains the flag.
    steghide extract -sf picture3.bmp -p DUEDILIGENCE
    cat flag.txt
    Learn more

    Steghide is a steganography tool that hides data inside image and audio files by subtly modifying pixel values or sample data. The hidden data is encrypted with a passphrase and embedded in a way that is visually imperceptible. The -sf flag specifies the stego file (the carrier image) and -p provides the passphrase.

    This challenge chains multiple techniques: TFTP protocol analysis, ROT13 decoding, and finally steghide extraction. The instructions for each step are hidden inside the previous step's output -- a common multi-stage puzzle design in forensics CTFs.

Flag

picoCTF{...}

TFTP transfers files without encryption -- export all objects from the capture to recover the instructions and steganography key.

More Forensics