Description
A PCAP plus a password-protected ZIP arrive together. Use strings/binwalk to extract a partial flag from the network trace, then apply it as the ZIP password.
Setup
Download dump.pcap and the accompanying ZIP archive into a local working directory.
Have strings (or Wireshark), a Base64 decoder, and unzip available.
wget https://artifacts.picoctf.net/c/308/dump.pcapSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Extract the hintObservationI noticed the challenge paired a PCAP file with a password-protected ZIP, which suggested the password was hidden inside the network capture and could be surfaced with strings and base64 decoding rather than brute force.The PCAP contains printable strings referencing the flag. Base64-decode them to reveal the password fragment. Decoding the captured Base64 yields plaintext like "This is the secret: picoCTF{R34DING_LOKd_fil56...9b}" so you can verify decoding worked before attempting the unzip.Optional alternate path:
binwalk -e dump.pcapcan carve embedded files out of the capture. It is rarely needed here (strings + base64 is enough) but is worth knowing for PCAPs that smuggle full archives over plaintext protocols.What didn't work first
Tried: Opening the PCAP in Wireshark and scanning each packet manually looking for the password.
Manually scrolling through hundreds of packets is slow and easy to miss. The strings command surfaces all printable text in one shot, piped through grep to filter for Base64-looking output. Wireshark is useful for deeper analysis but is overkill for finding a single embedded string.
Tried: Treating the extracted string as the flag directly without Base64-decoding it.
The payload in the PCAP is Base64-encoded, not raw plaintext. Pasting the encoded string as the ZIP password will fail with a wrong-password error. The correct step is to first decode it with 'base64 --decode' or CyberChef to get the actual password fragment.
Learn more
PCAP (Packet Capture) files store raw network traffic recorded by tools like Wireshark or
tcpdump. Each packet is saved with its full headers and payload. When traffic is unencrypted, sensitive data - credentials, tokens, file contents - can be recovered simply by reading the payload bytes.The
stringscommand extracts sequences of printable ASCII characters from any binary file, including PCAPs. Because packet payloads are just byte arrays,strings dump.pcapsurfaces any human-readable text transmitted over the network - no protocol knowledge required. For more targeted analysis, Wireshark's "Follow TCP Stream" reassembles the full application-layer conversation, and its "Export Objects" feature can save transferred files (HTTP, FTP, SMB) directly to disk.Base64 is not encryption - it is an encoding scheme that represents binary data using 64 printable ASCII characters. Its characteristic alphabet (A-Z, a-z, 0-9, +, /) and padding
=signs make it immediately recognizable. In this challenge the attacker encoded the password to avoid triggering simple keyword filters, but Base64 is trivially reversible withbase64 --decodeor CyberChef.Step 2
Unlock the archiveObservationI noticed the decoded Base64 from the PCAP yielded a picoCTF{...} token, which suggested that token was the ZIP password needed to extract the final flag file.Use the recovered fragment as the password to unzip the provided archive, then open flag.txt for the complete flag.What didn't work first
Tried: Using the full decoded string including the surrounding sentence as the ZIP password.
The decoded output is something like 'This is the secret: picoCTF{...}'. Only the flag value itself (picoCTF{...}) is the ZIP password. Passing the entire sentence produces a wrong-password error. Strip the label text and use only the flag-shaped token.
Tried: Attempting to crack the ZIP password with John the Ripper before finishing the PCAP analysis.
The ZIP password is hidden in the PCAP, so brute-forcing is the hard path. This challenge is designed as a two-stage scavenger hunt - the PCAP contains the password for the ZIP. Finishing the PCAP extraction step first is always faster than dictionary or brute-force attacks.
Learn more
Password-protected ZIP archives use a symmetric cipher (traditionally PKZIP stream cipher; modern archives use AES-256) to encrypt file contents. The password must be supplied at extraction time. The
unzip -P 'password' archive.zipflag passes the password non-interactively, which is useful in scripts.If you do not know the password, offline cracking tools like John the Ripper (
zip2john archive.zip > hash.txt && john hash.txt) or hashcat can brute-force or dictionary-attack ZIP hashes. This challenge avoids brute force by hiding the password inside the PCAP - a scavenger-hunt technique common in multi-stage CTF forensics problems.A useful mental model: in real incident response, adversaries often exfiltrate data inside password-protected archives to evade DLP tools. Investigators recover the password from the same traffic channel (email, chat, another packet capture) and then decrypt the archive to see what was stolen.
Interactive tools
- Base64 & Base32 DecoderDecode Base64 and Base32 strings with auto-detection. Multi-layer mode unwraps nested encodings automatically.
Alternate Solution
Once you find the Base64 strings embedded in the PCAP or file, decode them with the Base64 Decoder on this site - paste the encoded string and the decoded ZIP password appears immediately, without needing a terminal.
Flag
Reveal flag
picoCTF{R34DING_LOKd_fil56...9b}
Ensure you remove ellipses or extra text from the decoded string before using it as the ZIP password.