Description
Analyze shark1.pcapng to find the flag.
Setup
Download shark1.pcapng.
wget <url>/shark1.pcapngSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Find the right TCP streamObservationI noticed the capture file contained multiple TCP streams across hundreds of packets, which suggested using Wireshark's display filters and the Follow TCP Stream feature to isolate and reassemble the one conversation carrying the flag payload.Open shark1.pcapng in Wireshark. Filter to narrow the search before scrolling: by DNS hostname (dns.qry.name contains '...'), by HTTP host, or by raw text content. Then sort streams by length and follow the longest.bashwireshark shark1.pcapngbash# In the filter bar, try one of:bash# dns.qry.name contains 'example'bash# tcp contains 'flag'bash# httpWhat didn't work first
Tried: Scroll through packets one by one looking for readable text instead of using a display filter
shark1.pcapng contains hundreds of packets across multiple streams; manually scrolling produces only fragmented payloads per packet rather than the reassembled application data. Following the TCP stream (right-click a packet in the relevant stream and choose Follow > TCP Stream) concatenates both directions of the conversation so the ROT13 sentence appears as a readable block.
Tried: Use the filter 'tcp contains "picoCTF"' to find the flag directly
The flag inside the stream is ROT13-encoded, so the literal bytes 'picoCTF' do not appear anywhere in the capture. The filter matches zero packets and looks like an empty pcap. Filtering for the encoded prefix 'cvpbPGS' or the surrounding phrase 'Gur synt' works because those bytes are present verbatim on the wire.
Learn more
Wireshark is the standard packet analyzer. A .pcapng file stores captured packets with metadata. Right-click any packet and choose Follow > TCP Stream to reassemble the bidirectional conversation.
How to identify stream 5 specifically. Streams are numbered from 0 in order of first appearance. To pick the right one without checking each by hand:
- Statistics > Conversations > TCP sorts by bytes per stream. The longest few are usually the interesting ones.
- Filter with
tcp.stream eq 5once you suspect a number, or filter by content first (tcp contains "Gur synt") and read which stream the matched packet belongs to. - tshark can dump every stream programmatically:
for i in $(seq 0 20); do tshark -r shark1.pcapng -q -z follow,tcp,ascii,$i; done.
See Wireshark for CTF for the full filter cheat sheet.
Step 2
Decode the ROT13-encoded flagObservationI noticed the reassembled TCP stream contained the readable phrase 'Gur synt vf cvpbPGS{...}', where each word looked like shifted English text and the prefix 'cvpbPGS' mirrored 'picoCTF' shifted by 13, which confirmed the encoding was ROT13 and pointed directly to using tr on the full sentence.The TCP stream contains: 'Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}'. Apply ROT13 to the letters; digits and underscores pass through unchanged. The decoded sentence reads: 'The flag is picoCTF{p33kab00_1_s33_u_...}'.bashecho "Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'Expected output
The flag is picoCTF{p33kab00_1_s33_u_...}What didn't work first
Tried: Apply ROT13 only to the inner flag token 'c33xno00_1_f33_h_qrnqorrs' and ignore the surrounding sentence
Running tr on just the braces-wrapped portion decodes the flag body correctly, but skipping the surrounding phrase means you have to infer manually that the output is the flag. Including the full sentence 'Gur synt vf cvpbPGS{...}' in the tr command produces 'The flag is picoCTF{...}' which removes all ambiguity about what you are reading.
Tried: Use an online ROT13 tool but paste the text with the Wireshark newline artifacts left in
Wireshark's Follow TCP Stream window sometimes appends direction markers or line breaks mid-token when you copy raw text. Pasting those artifacts into an online tool decodes the letters correctly but leaves stray characters around digits, making the flag look malformed. The tr shell command processes stdin byte-for-byte and is unaffected by surrounding whitespace, giving the cleanest output.
Learn more
Worked example. ROT13 shifts each letter by 13 positions, wrapping within case. Non-letters (digits, punctuation, underscores) pass through untouched. So
c33xno00decodes letter-by-letter:c -> p (c is the 3rd letter, 3+13 = 16 -> 16th letter = p) 3 -> 3 (digit, unchanged) 3 -> 3 x -> k n -> a o -> b 0 -> 0 (digit, unchanged) 0 -> 0So
c33xno00decodes top33kab00. Thetr 'A-Za-z' 'N-ZA-Mn-za-m'pattern handles only alphabetic characters, which is exactly the right semantics: digits and underscores stay put.
Interactive tools
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Alternate Solution
Once you extract the ROT13 text from the TCP stream, decode it instantly with the ROT / Caesar Cipher tool. Paste the text, set the shift to 13, and the flag appears with no shell command needed.
Flag
Reveal flag
picoCTF{p33kab00_1_s33_u_...}
Following individual TCP streams isolates one connection's application-layer data. Here the flag was ROT13-encoded within the stream.