picoCTF Solutions
PathPart of the Digital Forensics path · Step 5 of 5: Multi-Layer and Advanced Challenges
picoCTF 2023ForensicsMedium

FindAndOpen

Published: April 26, 2023

Description

A PCAP plus a password-protected ZIP arrive together. Use strings/binwalk to extract a partial flag from the network trace, then apply it as the ZIP password.

Setup

Download dump.pcap

Run strings (or Wireshark) on dump.pcap to discover Base64 snippets of the flag.

Decode the Base64 text to obtain the partial flag/password, then unlock the accompanying ZIP and read flag.txt.

strings dump.pcap | grep -n pico
python3 - <<'PY'
import base64
print(base64.b64decode('VGhpcyBpcyB0aGUgc2VjcmV0OiBwaWNvQ1RGe1IzNERJTkdfTE9LZF8='))
PY
unzip -P 'picoCTF{...}' flag.zip

Solution

The Introduction to Steganography Tools covers binwalk (used here for embedded file extraction) alongside the other tools you will need for forensics challenges.
  1. Step 1Extract the hint
    The PCAP contains printable strings referencing the flag. Base64-decode them to reveal the password fragment.
    Learn more

    PCAP (Packet Capture) files store raw network traffic recorded by tools like Wireshark or tcpdump. Each packet is saved with its full headers and payload. When traffic is unencrypted, sensitive data - credentials, tokens, file contents - can be recovered simply by reading the payload bytes.

    The strings command extracts sequences of printable ASCII characters from any binary file, including PCAPs. Because packet payloads are just byte arrays, strings dump.pcapsurfaces any human-readable text transmitted over the network - no protocol knowledge required. For more targeted analysis, Wireshark's "Follow TCP Stream" reassembles the full application-layer conversation, and its "Export Objects" feature can save transferred files (HTTP, FTP, SMB) directly to disk.

    Base64 is not encryption - it is an encoding scheme that represents binary data using 64 printable ASCII characters. Its characteristic alphabet (A–Z, a–z, 0–9, +, /) and padding = signs make it immediately recognizable. In this challenge the attacker encoded the password to avoid triggering simple keyword filters, but Base64 is trivially reversible with base64 --decode or CyberChef.

  2. Step 2Unlock the archive
    Use the recovered fragment as the password to unzip the provided archive, then open flag.txt for the complete flag.
    Learn more

    Password-protected ZIP archives use a symmetric cipher (traditionally PKZIP stream cipher; modern archives use AES-256) to encrypt file contents. The password must be supplied at extraction time. The unzip -P 'password' archive.zip flag passes the password non-interactively, which is useful in scripts.

    If you do not know the password, offline cracking tools like John the Ripper (zip2john archive.zip > hash.txt && john hash.txt) or hashcat can brute-force or dictionary-attack ZIP hashes. This challenge avoids brute force by hiding the password inside the PCAP - a scavenger-hunt technique common in multi-stage CTF forensics problems.

    A useful mental model: in real incident response, adversaries often exfiltrate data inside password-protected archives to evade DLP tools. Investigators recover the password from the same traffic channel (email, chat, another packet capture) and then decrypt the archive to see what was stolen.

Alternate Solution

Once you find the Base64 strings embedded in the PCAP or file, decode them with the Base64 Decoder on this site - paste the encoded string and the decoded ZIP password appears immediately, without needing a terminal.

Flag

picoCTF{R34DING_LOKd_fil56...9b}

Ensure you remove ellipses or extra text from the decoded string before using it as the ZIP password.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Tools used in this challenge

Related reading

What to try next