Description
A PCAP plus a password-protected ZIP arrive together. Use strings/binwalk to extract a partial flag from the network trace, then apply it as the ZIP password.
Setup
Download dump.pcap and the accompanying ZIP archive into a local working directory.
Have strings (or Wireshark), a Base64 decoder, and unzip available.
wget https://artifacts.picoctf.net/c/308/dump.pcapSolution
Walk me through it- Step 1Extract the hintThe PCAP contains printable strings referencing the flag. Base64-decode them to reveal the password fragment. Decoding the captured Base64 yields plaintext like "This is the secret: picoCTF{R34DING_LOKd_fil56...9b}" so you can verify decoding worked before attempting the unzip.
Optional alternate path:
binwalk -e dump.pcapcan carve embedded files out of the capture. It is rarely needed here (strings + base64 is enough) but is worth knowing for PCAPs that smuggle full archives over plaintext protocols.Learn more
PCAP (Packet Capture) files store raw network traffic recorded by tools like Wireshark or
tcpdump. Each packet is saved with its full headers and payload. When traffic is unencrypted, sensitive data - credentials, tokens, file contents - can be recovered simply by reading the payload bytes.The
stringscommand extracts sequences of printable ASCII characters from any binary file, including PCAPs. Because packet payloads are just byte arrays,strings dump.pcapsurfaces any human-readable text transmitted over the network - no protocol knowledge required. For more targeted analysis, Wireshark's "Follow TCP Stream" reassembles the full application-layer conversation, and its "Export Objects" feature can save transferred files (HTTP, FTP, SMB) directly to disk.Base64 is not encryption - it is an encoding scheme that represents binary data using 64 printable ASCII characters. Its characteristic alphabet (A-Z, a-z, 0-9, +, /) and padding
=signs make it immediately recognizable. In this challenge the attacker encoded the password to avoid triggering simple keyword filters, but Base64 is trivially reversible withbase64 --decodeor CyberChef. - Step 2Unlock the archiveUse the recovered fragment as the password to unzip the provided archive, then open flag.txt for the complete flag.
Learn more
Password-protected ZIP archives use a symmetric cipher (traditionally PKZIP stream cipher; modern archives use AES-256) to encrypt file contents. The password must be supplied at extraction time. The
unzip -P 'password' archive.zipflag passes the password non-interactively, which is useful in scripts.If you do not know the password, offline cracking tools like John the Ripper (
zip2john archive.zip > hash.txt && john hash.txt) or hashcat can brute-force or dictionary-attack ZIP hashes. This challenge avoids brute force by hiding the password inside the PCAP - a scavenger-hunt technique common in multi-stage CTF forensics problems.A useful mental model: in real incident response, adversaries often exfiltrate data inside password-protected archives to evade DLP tools. Investigators recover the password from the same traffic channel (email, chat, another packet capture) and then decrypt the archive to see what was stolen.
Alternate Solution
Once you find the Base64 strings embedded in the PCAP or file, decode them with the Base64 Decoder on this site - paste the encoded string and the decoded ZIP password appears immediately, without needing a terminal.
Flag
picoCTF{R34DING_LOKd_fil56...9b}
Ensure you remove ellipses or extra text from the decoded string before using it as the ZIP password.