Description
A “digital ghost” exfiltrated data through a small capture file. Sort the packets chronologically, reassemble the attacker’s Base64 blobs, and decode them to reveal the stolen message.
Grab the PCAP and open it in Wireshark (or run `strings` if you just want the ASCII payloads).
Sort packets by time so you can read the attacker’s exfiltration stream in order.
wget https://challenge-files.picoctf.net/c_verbal_sleep/4d25aca04e2409ba0d917d8ed27d49c6fb616ff9603fa3926712cce623a3d7f5/myNetworkTraffic.pcap
strings myNetworkTraffic.pcap
Solution
- Step 1Identify the suspicious payloadsThe capture contains TCP segments whose data fields are tiny Base64 strings ending with padding (==). Packet 9 is the first in the chain, followed by packets 21, 17, 15, 20, 13, and 8.
- Step 2Concatenate in orderCopy the `cGljb0NURg==`, `ezF0X3c0cw==`, … `fQ==` strings in chronological order. Combining them yields a multi-line Base64 blob representing the full flag.
- Step 3Decode to plaintextPaste the combined data into CyberChef’s From Base64 recipe or run it through `base64 -d` locally to reveal the picoCTF flag.echo "cGljb0NURg== ezF0X3c0cw== bnRfdGg0dA== XzM0c3lfdA== YmhfNHJfOA== ZTEwZTgzOQ== fQ==" | base64 -d
Flag
picoCTF{1t_w4snt_th4t_34sy_tbh_4r_8e...}
If you use Wireshark, the Follow TCP Stream view also displays the Base64 segments in order once you pick the first packet.