picoCTF Solutions
picoCTF 2023ForensicsMedium

PcapPoisoning

Published: April 26, 2023Updated: December 9, 2025

Description

Analyze the supplied trace.pcap to recover credentials and the full picoCTF flag hidden inside a retransmitted TCP packet.

Setup

Download trace.pcap

Open the capture in Wireshark and locate the first TCP retransmission.

Follow the TCP stream to view the injected payload with the picoCTF flag.

wget https://artifacts.picoctf.net/c/371/trace.pcap
wireshark trace.pcap

Solution

  1. Step 1Follow the suspicious stream
    Right-click the retransmission and choose “Follow TCP stream.” The payload contains both leaked credentials and the flag.
  2. Step 2Extract via strings (optional)
    Running strings trace.pcap | grep pico also surfaces the flag if you prefer CLI tooling.
    strings trace.pcap | grep pico

Flag

picoCTF{P64P_4N...803f}

All notable data is present in cleartext; the retransmission makes it easy to spot.