Description
Analyze shark1.pcapng to find the flag.
Setup
Download shark1.pcapng.
Solution
- Step 1Open the capture and follow TCP stream 5Open shark1.pcapng in Wireshark. Apply the display filter 'tcp.stream eq 5' to isolate the relevant TCP connection. Right-click any packet in the filtered list and select Follow > TCP Stream to view the full conversation.wireshark shark1.pcapng
Learn more
Wireshark is the industry-standard packet analyzer. A .pcapng file (Packet Capture Next Generation) stores captured network packets with metadata. The "Follow TCP Stream" feature reassembles a full bidirectional TCP conversation from individual packets, showing the application-layer data as it was transmitted.
TCP streams in Wireshark are numbered starting from 0 in the order they appear in the capture. Stream 5 (the sixth stream) contains the text with the flag. With small captures, you can also quickly scan streams by right-clicking each TCP packet and following its stream.
- Step 2Decode the ROT13-encoded flagIn the TCP stream you will see the text: 'Gur synt vf cvpbPGS{p33xno00_1_f33_h_qrnqorrs}'. This is ROT13-encoded. Apply ROT13 using the tr command to recover the flag.echo "Gur synt vf cvpbPGS{p33xno00_1_f33_h_qrnqorrs}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Learn more
Notice that the non-alphabetic characters inside the curly braces -- digits and underscores -- are not shifted by ROT13, only letters are. So
p33xno00becomesc33kao00after ROT13 on letters only. ThetrpatternA-Za-ztoN-ZA-Mn-za-mcorrectly handles only alphabetic characters.ROT13 in network traffic is a trivial obfuscation that would not survive any competent security review -- but in CTF captures it signals the challenge author intentionally hid the flag in plain sight within the packet data, requiring only the right stream and a simple decode.
Flag
picoCTF{...}
Following individual TCP streams isolates one connection's application-layer data -- here the flag was ROT13-encoded within the stream.