Description
A network capture shows BitTorrent traffic. Identify which file was downloaded by extracting the most frequent info_hash; the file name becomes the flag.
Open the PCAP in Wireshark and filter for BitTorrent DHT traffic (e.g., `bt-dht`).
Add `bittorrent.info_hash` (or `bt-dht.info_hash`) as a display column and look for the hash with the most hits.
Feed that hash to a public tracker search (Linuxtracker, etc.) to learn the file name.
Solution
- Step 1Locate the info_hashFollowing DHT queries reveals multiple hashes, but the one repeated the most corresponds to the actual download. Sorting by the new column makes it obvious.
Learn more
BitTorrent is a peer-to-peer file sharing protocol. Every torrent is identified by an info_hash- a 20-byte SHA-1 hash of the torrent's metadata (file names, sizes, piece hashes). This hash is the globally unique identifier used to find peers, announce to trackers, and look up files on DHT networks.
The DHT (Distributed Hash Table) is BitTorrent's decentralized peer discovery system. Instead of relying on a central tracker, peers ask nearby DHT nodes "who has info_hash X?" - these queries are visible as UDP packets in the PCAP. Wireshark dissects them with the
bt-dhtdisplay filter, exposing the info_hash values being searched.Wireshark is the industry-standard network protocol analyzer. Key workflow for PCAP analysis: apply display filters to focus on a protocol (
bt-dht,http,dns), add relevant fields as columns for quick comparison, use "Follow Stream" to read full conversations, and export specific packets for offline analysis. It's essential for network forensics and CTF challenges. - Step 2Map the hash to a filePaste the hash into a torrent search engine; it points to a specific `.iso` file. The flag format is picoCTF{...}.
Learn more
Because the info_hash is derived from the torrent metadata (including file names), it can be used to look up what file a torrent represents - even without having the
.torrentfile itself. Public torrent search engines index info_hashes and their associated file names, making this lookup straightforward.This is a real network forensics technique: if a captured PCAP shows BitTorrent traffic, an analyst can determine exactly what files were being downloaded (or uploaded) by extracting info_hashes and looking them up. This has legal implications in copyright enforcement and incident response cases where data exfiltration via P2P is suspected.
The lesson about network traffic leakage extends beyond BitTorrent: DNS queries reveal what domains a user visits, HTTP headers leak browser/OS details, TLS SNI extensions expose the target hostname even over encrypted connections, and metadata in protocols often reveals more than the payload. Traffic analysis without decryption is a powerful forensic and intelligence technique.
Flag
picoCTF{.....amd64.iso}
Leakage of torrent metadata is often enough to identify what was downloaded.