picoCTF Solutions
PathPart of the Digital Forensics path · Step 3 of 5: Steganography
picoCTF 2025ForensicsEasy

Ph4nt0m 1ntrud3r picoCTF 2025 Solution

Published: April 2, 2025

Description

A "digital ghost" exfiltrated data through a small capture file. Sort the packets chronologically, reassemble the attacker's Base64 blobs, and decode them to reveal the stolen message.

Setup

Download myNetworkTraffic.pcap

Grab the PCAP and run capinfos to see capture duration and packet count.

Open it in Wireshark (or pull TCP payloads with tshark). Sort by time so you can read the exfiltration stream in order.

bash
wget https://challenge-files.picoctf.net/c_verbal_sleep/4d25aca04e2409ba0d917d8ed27d49c6fb616ff9603fa3926712cce623a3d7f5/myNetworkTraffic.pcap
bash
capinfos myNetworkTraffic.pcap
bash
tshark -r myNetworkTraffic.pcap -Y tcp -T fields -e frame.number -e frame.time_epoch -e tcp.payload

Solution

Walk me through it
PCAP triage techniques (Follow TCP Stream, payload extraction with tshark) live in the Wireshark and PCAP guide, and the Base64 reassembly is one of the canonical recipes in the CTF Encodings cheatsheet.
  1. Step 1Identify the suspicious payloads
    The capture contains TCP segments whose data fields are tiny Base64 strings ending with == padding. Print frame numbers + payloads in capture order with tshark; the printed list order is the chronological order, and you can confirm with the second column (epoch timestamp) if you need to. Packet 9 is the first in the chain, followed by packets 21, 17, 15, 20, 13, and 8. Note: zsteg is for image steganography, not pcaps - do not reach for it here.
    bash
    # Print frame number, timestamp, payload for the chunked TCP flow:
tshark -r myNetworkTraffic.pcap -Y 'tcp.port == <PORT>' \
  -T fields -e frame.number -e frame.time_epoch -e tcp.payload
# The print order = chronological order; timestamps confirm it.
    Learn more

    PCAP (Packet Capture) files store raw network traffic recorded by tools like tcpdump, Wireshark, or network taps. The PCAP format stores each packet with a precise timestamp, enabling chronological reconstruction of conversations. PCAP analysis is a core skill in network forensics, incident response, and network-based CTF challenges.

    Data exfiltration via TCP payload is one of the simplest covert channel techniques. An attacker who has compromised a host can embed stolen data in the payloads of outbound TCP connections, sometimes disguised as legitimate traffic. Fragmenting the data into small chunks (as here, with individual Base64 segments) mimics the behavior of keep-alive packets or protocol handshakes and can evade simple size-based anomaly detection.

    Real-world exfiltration is often more sophisticated: data can be hidden in DNS query names (DNS tunneling), ICMP echo request payloads, HTTP User-Agent headers, or timing intervals between packets (covert timing channels). Tools like dnscat2 and iodine automate DNS-based exfiltration. Network detection tools like Zeek and Suricata include signatures for many of these patterns.

  2. Step 2Concatenate in order and decode
    Canonical workflow here is manual extraction with tshark, because it makes the ordering explicit. Copy the cGljb0NURg==, ezF0X3c0cw==, ... fQ== strings in chronological order, concatenate, and pipe through base64 -d. The output starts with picoCTF{; if it doesn't, the packet order is wrong, so re-sort and try again. Wireshark's Follow TCP Stream is the GUI alternate - same data, just reassembled for you.
    bash
    # Concatenate the chunks (no newlines) and decode:
    bash
    printf '%s' 'cGljb0NURg==ezF0X3c0cw==bnRfdGg0dA==XzM0c3lfdA==YmhfNHJfOA==ZTEwZTgzOQ==fQ==' | base64 -d
    bash
    # One segment per line works too if you prefer:
    bash
    printf 'cGljb0NURg==\nezF0X3c0cw==\nbnRfdGg0dA==\nXzM0c3lfdA==\nYmhfNHJfOA==\nZTEwZTgzOQ==\nfQ==\n' | base64 -d
    bash
    # Expected: a string starting with picoCTF{
    Learn more

    Packet ordering matters critically in network forensics. PCAP files record packets in the order they were captured, which usually reflects network arrival order, but TCP guarantees in-order delivery from the application's perspective. When packets are out of capture order (due to network reordering or parallel paths), you must re-sort by TCP sequence number, not by capture time, to reconstruct the byte stream correctly.

    Wireshark's Follow TCP Stream feature (right-click a packet, Follow, TCP Stream) automatically reassembles a complete TCP conversation in sequence-number order, handles retransmissions, and presents the payload as continuous text or hex. This is usually the fastest way to extract application-layer data from a PCAP, and it is the recommended alternate workflow if the manual tshark approach above feels fiddly. For UDP-based challenges, Follow UDP Stream works similarly but without reassembly guarantees.

    Base64 is an encoding scheme, not encryption. It maps arbitrary binary data to a 64-character alphabet (A-Z, a-z, 0-9, +, /) plus = padding, and increases size by about 33%. The fact that the attacker used Base64 rather than encryption reveals a fundamental mistake: encoding is reversible by anyone without a key. Sophisticated exfiltration would encrypt the data with a key the attacker controls before encoding, which is exactly what command-and-control frameworks like Cobalt Strike and Metasploit do by default. CyberChef (the GCHQ-developed web tool) is exceptionally useful for chaining decoders if you need more than one transformation in sequence.

Flag

picoCTF{1t_w4snt_th4t_34sy_tbh_4r_8e...}

If you use Wireshark, the Follow TCP Stream view also displays the Base64 segments in order once you pick the first packet.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Tools used in this challenge

Related reading

Do these first

What to try next