Description
A network capture file hides the flag in plaintext inside one of its packets. Run strings on the file to surface it without needing Wireshark.
Setup
Download trace.pcap.
Run strings on it and grep for pico to find the flag immediately.
wget https://artifacts.picoctf.net/c/371/trace.pcapstrings trace.pcap | grep picoSolution
Walk me through it- Step 1Run strings and grep for the flagThe flag is embedded in plaintext inside a packet payload. A simple strings command surfaces every printable run of bytes in the file. Piping through grep pico finds the flag in one step without opening Wireshark.bash
strings trace.pcap | grep picoLearn more
PCAP files store raw network traffic. Packet payloads are just byte sequences, and when the application protocol transmits data in plaintext, the flag shows up verbatim in the file bytes. The
stringscommand extracts every run of printable characters, so a single pipeline finds plaintext flags without any protocol-level analysis.This is the first triage step for any forensics challenge involving a packet capture: try
strings file.pcap | grep picobefore reaching for Wireshark. It works whenever the flag is transmitted as unencoded ASCII in a single contiguous packet payload.If strings comes up empty, open the capture in Wireshark and use Follow TCP/UDP Stream to reassemble the application-layer conversation. The challenge is named PcapPoisoning as a hint about TCP injection, but the flag is accessible by the simpler strings path.
Flag
picoCTF{P64P_4N4L1515_15_Fun_A8777...f}
strings trace.pcap | grep pico returns the flag directly.