Description
Analyze the supplied trace.pcap to recover credentials and the full picoCTF flag hidden inside a retransmitted TCP packet.
Setup
Open the capture in Wireshark and locate the first TCP retransmission.
Follow the TCP stream to view the injected payload with the picoCTF flag.
wget https://artifacts.picoctf.net/c/371/trace.pcapwireshark trace.pcapSolution
- Step 1Follow the suspicious streamRight-click the retransmission and choose "Follow TCP stream." The payload contains both leaked credentials and the flag.
Learn more
TCP retransmissions occur when a sender does not receive an acknowledgment (ACK) within the expected window and resends the same segment. In a legitimate connection, the retransmitted segment should be byte-for-byte identical to the original. TCP poisoning (also called TCP injection) is an attack where a man-in-the-middle injects a retransmission with modified or additional content - the receiver may accept the injected payload as valid data because it falls within the expected sequence number range.
In Wireshark, retransmissions are flagged with the [TCP Retransmission]info tag and highlighted in black/dark red by default. Right-clicking one and selecting "Follow → TCP Stream" reassembles the entire application-layer conversation, showing both original and injected data in sequence. This makes it easy to spot payloads that differ between the original packet and the retransmission.
Real-world TCP injection attacks have been used to intercept BGP sessions, inject RST packets to terminate connections (the "Great Firewall of China" uses this technique), and modify unencrypted HTTP traffic in transit. TLS/HTTPS defends against this by authenticating every byte with a message authentication code (MAC), making injection detectable.
- Step 2Extract via strings (optional)Running strings trace.pcap | grep pico also surfaces the flag if you prefer CLI tooling.
strings trace.pcap | grep picoLearn more
The
strings | greppipeline is the quickest way to answer "is there anything flag-shaped in this binary?" without opening a GUI. For PCAP files, it searches all packet payloads simultaneously. This works becausestringsdoes not understand the PCAP format - it simply scans the raw bytes for printable sequences, which include any unencrypted application data embedded in packets.For more structured PCAP analysis from the command line, tshark (Wireshark's CLI companion) provides powerful filtering:
tshark -r trace.pcap -Y 'tcp.analysis.retransmission' -T fields -e data.textwould extract the text payload of all retransmitted TCP segments. tcpdump can similarly filter and display packets without a GUI.In incident response, CLI tools are preferred over Wireshark when analyzing captures on remote servers over SSH, in automated pipelines, or when dealing with very large PCAP files where Wireshark's memory usage becomes impractical. The
strings | greptrick is a staple first step.
Flag
picoCTF{P64P_4N...803f}
All notable data is present in cleartext; the retransmission makes it easy to spot.