picoCTF Solutions
picoCTF 2022ForensicsMedium

Torrent Analyze

Published: July 20, 2023Updated: December 9, 2025

Description

A network capture shows BitTorrent traffic. Identify which file was downloaded by extracting the most frequent info_hash; the file name becomes the flag.

Setup

Download torrent.pcap

Open the PCAP in Wireshark and filter for BitTorrent DHT traffic (e.g., `bt-dht`).

Add `bittorrent.info_hash` (or `bt-dht.info_hash`) as a display column and look for the hash with the most hits.

Feed that hash to a public tracker search (Linuxtracker, etc.) to learn the file name.

Solution

  1. Step 1Locate the info_hash
    Following DHT queries reveals multiple hashes, but the one repeated the most corresponds to the actual download. Sorting by the new column makes it obvious.
  2. Step 2Map the hash to a file
    Paste the hash into a torrent search engine; it points to a specific `.iso` file. The flag format is picoCTF{that_filename}.

Flag

picoCTF{.....amd64.iso}

Leakage of torrent metadata is often enough to identify what was downloaded.