Wireshark doo dooo do doo... picoCTF 2021 Solution

Published: April 2, 2026

Description

Analyze shark1.pcapng to find the flag.

Download shark1.pcapng.

bash
wget <url>/shark1.pcapng

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Find the right TCP stream
    Observation
    I noticed the capture file contained multiple TCP streams across hundreds of packets, which suggested using Wireshark's display filters and the Follow TCP Stream feature to isolate and reassemble the one conversation carrying the flag payload.
    Open shark1.pcapng in Wireshark. Filter to narrow the search before scrolling: by DNS hostname (dns.qry.name contains '...'), by HTTP host, or by raw text content. Then sort streams by length and follow the longest.
    bash
    wireshark shark1.pcapng
    bash
    # In the filter bar, try one of:
    bash
    #   dns.qry.name contains 'example'
    bash
    #   tcp contains 'flag'
    bash
    #   http
    What didn't work first

    Tried: Scroll through packets one by one looking for readable text instead of using a display filter

    shark1.pcapng contains hundreds of packets across multiple streams; manually scrolling produces only fragmented payloads per packet rather than the reassembled application data. Following the TCP stream (right-click a packet in the relevant stream and choose Follow > TCP Stream) concatenates both directions of the conversation so the ROT13 sentence appears as a readable block.

    Tried: Use the filter 'tcp contains "picoCTF"' to find the flag directly

    The flag inside the stream is ROT13-encoded, so the literal bytes 'picoCTF' do not appear anywhere in the capture. The filter matches zero packets and looks like an empty pcap. Filtering for the encoded prefix 'cvpbPGS' or the surrounding phrase 'Gur synt' works because those bytes are present verbatim on the wire.

    Learn more

    Wireshark is the standard packet analyzer. A .pcapng file stores captured packets with metadata. Right-click any packet and choose Follow > TCP Stream to reassemble the bidirectional conversation.

    How to identify stream 5 specifically. Streams are numbered from 0 in order of first appearance. To pick the right one without checking each by hand:

    • Statistics > Conversations > TCP sorts by bytes per stream. The longest few are usually the interesting ones.
    • Filter with tcp.stream eq 5 once you suspect a number, or filter by content first (tcp contains "Gur synt") and read which stream the matched packet belongs to.
    • tshark can dump every stream programmatically: for i in $(seq 0 20); do tshark -r shark1.pcapng -q -z follow,tcp,ascii,$i; done.

    See Wireshark for CTF for the full filter cheat sheet.

  2. Step 2
    Decode the ROT13-encoded flag
    Observation
    I noticed the reassembled TCP stream contained the readable phrase 'Gur synt vf cvpbPGS{...}', where each word looked like shifted English text and the prefix 'cvpbPGS' mirrored 'picoCTF' shifted by 13, which confirmed the encoding was ROT13 and pointed directly to using tr on the full sentence.
    The TCP stream contains: 'Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}'. Apply ROT13 to the letters; digits and underscores pass through unchanged. The decoded sentence reads: 'The flag is picoCTF{p33kab00_1_s33_u_...}'.
    bash
    echo "Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

    Expected output

    The flag is picoCTF{p33kab00_1_s33_u_...}
    What didn't work first

    Tried: Apply ROT13 only to the inner flag token 'c33xno00_1_f33_h_qrnqorrs' and ignore the surrounding sentence

    Running tr on just the braces-wrapped portion decodes the flag body correctly, but skipping the surrounding phrase means you have to infer manually that the output is the flag. Including the full sentence 'Gur synt vf cvpbPGS{...}' in the tr command produces 'The flag is picoCTF{...}' which removes all ambiguity about what you are reading.

    Tried: Use an online ROT13 tool but paste the text with the Wireshark newline artifacts left in

    Wireshark's Follow TCP Stream window sometimes appends direction markers or line breaks mid-token when you copy raw text. Pasting those artifacts into an online tool decodes the letters correctly but leaves stray characters around digits, making the flag look malformed. The tr shell command processes stdin byte-for-byte and is unaffected by surrounding whitespace, giving the cleanest output.

    Learn more

    Worked example. ROT13 shifts each letter by 13 positions, wrapping within case. Non-letters (digits, punctuation, underscores) pass through untouched. So c33xno00 decodes letter-by-letter:

    c -> p   (c is the 3rd letter, 3+13 = 16 -> 16th letter = p)
    3 -> 3   (digit, unchanged)
    3 -> 3
    x -> k
    n -> a
    o -> b
    0 -> 0   (digit, unchanged)
    0 -> 0

    So c33xno00 decodes to p33kab00. The tr 'A-Za-z' 'N-ZA-Mn-za-m' pattern handles only alphabetic characters, which is exactly the right semantics: digits and underscores stay put.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Alternate Solution

Once you extract the ROT13 text from the TCP stream, decode it instantly with the ROT / Caesar Cipher tool. Paste the text, set the shift to 13, and the flag appears with no shell command needed.

Flag

Reveal flag

picoCTF{p33kab00_1_s33_u_...}

Following individual TCP streams isolates one connection's application-layer data. Here the flag was ROT13-encoded within the stream.

Key takeaway

Network captures preserve all transmitted bytes of cleartext protocols exactly as they crossed the wire, meaning anyone who can capture traffic can read credentials, payloads, and file transfers in full. ROT13 is a trivial substitution cipher that provides zero confidentiality, it is used as light obfuscation at best. Both problems share the same real-world fix: TLS encrypts the stream so a passive observer sees only ciphertext, and a proper cipher replaces substitution encodings.

Related reading

Want more picoCTF 2021 writeups?

Useful tools for Forensics

What to try next