PcapPoisoning picoCTF 2023 Solution

Published: April 26, 2023

Description

A network capture file hides the flag in plaintext inside one of its packets. Run strings on the file to surface it without needing Wireshark.

Download trace.pcap.

Run strings on it and grep for pico to find the flag immediately.

bash
wget https://artifacts.picoctf.net/c/371/trace.pcap
bash
strings trace.pcap | grep pico

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Run strings and grep for the flag
    Observation
    I noticed the challenge provided a raw PCAP file and the setup hint mentioned plaintext packet data, which suggested that the flag was stored unencoded in the file bytes and could be surfaced with the strings command rather than requiring Wireshark.
    The flag is embedded in plaintext inside a packet payload. A simple strings command surfaces every printable run of bytes in the file. Piping through grep pico finds the flag in one step without opening Wireshark.
    bash
    strings trace.pcap | grep pico

    Expected output

    picoCTF{P64P_4N4L1515_15_Fun_A8777...f}
    What didn't work first

    Tried: Opening trace.pcap in Wireshark and scrolling through individual packets looking for the flag.

    Wireshark displays packet bytes one frame at a time, so you have to scroll through dozens of packets manually. The strings pipeline collapses the entire file into printable runs and grep pinpoints the flag in one command, making Wireshark unnecessary for this challenge.

    Tried: Running strings trace.pcap without piping to grep, then searching the terminal output visually.

    The raw strings output for a PCAP is hundreds of lines of protocol headers, HTTP noise, and random printable garbage. Without grep pico the flag is buried in the scroll. Adding grep pico filters the output down to the one matching line immediately.

    Learn more

    PCAP files store raw network traffic. Packet payloads are just byte sequences, and when the application protocol transmits data in plaintext, the flag shows up verbatim in the file bytes. The strings command extracts every run of printable characters, so a single pipeline finds plaintext flags without any protocol-level analysis.

    This is the first triage step for any forensics challenge involving a packet capture: try strings file.pcap | grep pico before reaching for Wireshark. It works whenever the flag is transmitted as unencoded ASCII in a single contiguous packet payload.

    If strings comes up empty, open the capture in Wireshark and use Follow TCP/UDP Stream to reassemble the application-layer conversation. The challenge is named PcapPoisoning as a hint about TCP injection, but the flag is accessible by the simpler strings path.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{P64P_4N4L1515_15_Fun_A8777...f}

strings trace.pcap | grep pico returns the flag directly.

Key takeaway

Network captures preserve all transmitted data exactly as it crossed the wire, and cleartext protocols (HTTP, FTP, DNS, Telnet) expose credentials, payloads, and file transfers in full without any decryption step. The strings command is the fastest first triage because it extracts printable byte runs from any binary file regardless of packet framing or protocol. This is why TLS everywhere matters in production: an attacker with access to a PCAP from a cleartext session recovers everything retroactively, long after the connection closed.

Related reading

Want more picoCTF 2023 writeups?

Useful tools for Forensics

What to try next