Description
A "digital ghost" exfiltrated data through a small capture file. Sort the packets chronologically, reassemble the attacker's Base64 blobs, and decode them to reveal the stolen message.
Grab the PCAP and open it in Wireshark (or run `strings` if you just want the ASCII payloads).
Sort packets by time so you can read the attacker's exfiltration stream in order.
wget https://challenge-files.picoctf.net/c_verbal_sleep/4d25aca04e2409ba0d917d8ed27d49c6fb616ff9603fa3926712cce623a3d7f5/myNetworkTraffic.pcapstrings myNetworkTraffic.pcapSolution
- Step 1Identify the suspicious payloadsThe capture contains TCP segments whose data fields are tiny Base64 strings ending with padding (==). Packet 9 is the first in the chain, followed by packets 21, 17, 15, 20, 13, and 8.
Learn more
PCAP (Packet Capture) files store raw network traffic recorded by tools like
tcpdump, Wireshark, or network taps. The PCAP format stores each packet with a precise timestamp, enabling chronological reconstruction of conversations. PCAP analysis is a core skill in network forensics, incident response, and network-based CTF challenges.Data exfiltration via TCP payload is one of the simplest covert channel techniques. An attacker who has compromised a host can embed stolen data in the payloads of outbound TCP connections, sometimes disguised as legitimate traffic. Fragmenting the data into small chunks (as here, with individual Base64 segments) mimics the behavior of keep-alive packets or protocol handshakes and can evade simple size-based anomaly detection.
Real-world exfiltration is often more sophisticated: data can be hidden in DNS query names (DNS tunneling), ICMP echo request payloads, HTTP User-Agent headers, or timing intervals between packets (covert timing channels). Tools like dnscat2 and iodine automate DNS-based exfiltration. Network detection tools like Zeek and Suricata include signatures for many of these patterns.
- Step 2Concatenate in orderCopy the `cGljb0NURg==`, `ezF0X3c0cw==`, … `fQ==` strings in chronological order. Combining them yields a multi-line Base64 blob representing the full flag.
Learn more
Packet ordering matters critically in network forensics. PCAP files record packets in the order they were captured, which usually reflects network arrival order - but TCP guarantees in-order delivery from the application's perspective. When packets are out of capture order (due to network reordering or parallel paths), you must re-sort by TCP sequence number, not by capture time, to reconstruct the byte stream correctly.
Wireshark's Follow TCP Stream feature (right-click a packet → Follow → TCP Stream) automatically reassembles a complete TCP conversation in sequence-number order, handles retransmissions, and presents the payload as continuous text or hex. This is usually the fastest way to extract application-layer data from a PCAP. For UDP-based challenges, Follow UDP Stream works similarly but without reassembly guarantees.
The attacker's choice to split the flag into Base64 chunks sent across separate packets is a mild obfuscation: any string search tool would need to find each chunk individually and the analyst must know to concatenate them. In real-world incident response, exfiltrated data is rarely labeled so clearly - it might be encrypted, hidden in protocol fields, or mixed with legitimate traffic, requiring correlation across many data sources.
- Step 3Decode to plaintextPaste the combined data into CyberChef's From Base64 recipe or run it through `base64 -d` locally to reveal the picoCTF flag.
echo "cGljb0NURg== ezF0X3c0cw== bnRfdGg0dA== XzM0c3lfdA== YmhfNHJfOA== ZTEwZTgzOQ== fQ==" | base64 -dLearn more
Base64 is an encoding scheme - not encryption - that maps arbitrary binary data to a 64-character alphabet (
A–Z,a–z,0–9,+,/) plus=padding. It increases size by about 33% but ensures the data survives transport through systems that might corrupt binary content. Base64 is everywhere: email attachments (MIME), JWT tokens, data URIs in HTML/CSS, and API responses.Identifying Base64 is straightforward: look for strings using only the 64-character alphabet, optionally ending with one or two
=signs, with a length that is a multiple of 4. CyberChef (the GCHQ-developed web tool) is exceptionally useful for chaining decoding operations - From Base64, then hex decode, then gunzip, etc. - and is a standard tool in CTF and DFIR work.The fact that the attacker used Base64 rather than encryption reveals a fundamental mistake: encoding is reversible by anyone without a key. Sophisticated exfiltration would encrypt the data with a key only the attacker controls before encoding it, making recovery impossible even if the capture is analyzed. This is exactly what command-and-control frameworks like Cobalt Strike and Metasploit do by default.
Flag
picoCTF{1t_w4snt_th4t_34sy_tbh_4r_8e...}
If you use Wireshark, the Follow TCP Stream view also displays the Base64 segments in order once you pick the first packet.