picoCTF Solutions
picoCTF 2021ForensicsMedium

Wireshark twoo twooo two twoo... picoCTF 2021 Solution

Published: April 2, 2026

Description

Can you find the flag in this packet capture? Download shark2.pcapng.

Setup

Download the pcap file and open it in Wireshark.

bash
wget https://mercury.picoctf.net/static/.../shark2.pcapng

Solution

Walk me through it
  1. Step 1Filter for DNS queries from the client
    Apply 'dns.flags.response == 0' in Wireshark to keep only outbound queries. The flag is exfiltrated character by character through DNS query subdomains, not through DNS responses.
    bash
    wireshark shark2.pcapng
    Learn more

    DNS exfiltration. DNS traffic is allowed almost everywhere, so attackers encode data into subdomain names of queries to a domain they control. The authoritative name server logs the queries and reconstructs the data later.

    Why dns.flags.response == 0. DNS packets come in pairs: the query (flags.response = 0, sent by the client) and the response (flags.response = 1, sent by the resolver). The exfil data is typed by the attacker into the query name. The response carries only an A/NXDOMAIN record back. Keeping only queries halves the noise and ensures you don't double-count the same hostname when it appears in both the question and answer sections.

  2. Step 2Order, concatenate, and base64-decode the subdomains
    Sort queries by frame.time so they're in the order the client sent them. Pull the first label from each hostname, concatenate, and base64-decode.
    bash
    # Dump query names in capture order:
tshark -r shark2.pcapng -Y 'dns.flags.response == 0' -T fields -e frame.time -e dns.qry.name
    bash
    # Strip the base domain, take the leading label, join, b64decode:
tshark -r shark2.pcapng -Y 'dns.flags.response == 0' -T fields -e dns.qry.name \
  | grep -v 'in-addr\|local' \
  | awk -F'.' '{print $1}' \
  | tr -d '\n' \
  | base64 -d
    Learn more

    Why split on the first label. Each query name looks like cGljb0NU.attacker.com. The leading label (before the first .) is the encoded chunk; everything after is the attacker's base domain and is the same for every packet. awk -F'.' '{print $1}' isolates the chunk.

    Why concatenate without a separator. Each chunk is one piece of a base64-encoded message. Joining them as one continuous string gives the original base64 blob; decode it with base64 -d to get the flag.

    Order matters. Use frame.time rather than sort: the chunks were sent in transmission order, not lexicographic order. tshark output is already in capture order by default, so a plain tr -d '\n' preserves it. Avoid piping through sort -u (it scrambles order and can drop legitimate duplicates).

    See Wireshark for CTF for the broader pcap workflow and CTF encodings for base64 alongside the rest of the encoding zoo.

Alternate Solution

Once you concatenate the Base64 subdomain chunks, decode them with the Base64 Decoder on this site. Paste the joined string and the flag appears without needing a terminal.

Flag

picoCTF{...}

The flag was exfiltrated via DNS queries with base64-encoded subdomains, a classic covert channel that bypasses firewall restrictions on other protocols.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Forensics

Related reading

What to try next