picoCTF Solutions
picoCTF 2026ForensicsMedium

Rogue Tower

Published: March 20, 2026

Description

A suspicious cell tower has been detected in the network. Analyze the captured network traffic to identify the rogue tower, find the compromised device, and recover the exfiltrated flag.

Setup

Download rogue_tower.pcap

Download the PCAP file and open it in Wireshark or analyze it with tshark.

Look for unusual cell tower signaling or data exfiltration patterns.

tshark -r rogue_tower.pcap
wireshark rogue_tower.pcap

Solution

  1. Step 1Survey the traffic
    Open the PCAP in Wireshark and check the protocol hierarchy to understand what types of traffic are present.
    tshark -r rogue_tower.pcap -z io,phs
    Learn more

    PCAP (Packet Capture) files store raw network packets in a standardized binary format originally developed by tcpdump. They capture every byte of every packet that passed through a network interface, including headers, payloads, and metadata. The tshark -z io,phs command generates a protocol hierarchy statistics report that shows a tree of all protocols present in the capture along with their packet counts and byte totals - this is the fastest way to understand what kind of traffic a large PCAP contains.

    Rogue cell towers (also called IMSI catchers or Stingrays) are real-world attack devices that masquerade as legitimate base stations. They exploit the fact that mobile phones in 2G/3G networks authenticate to the network but the network does not authenticate back to the phone. When a phone connects to a rogue tower, the attacker can intercept calls, SMS messages, and data. In this CTF context, the "rogue tower" concept is simulated in network traffic that should reveal anomalous behavior distinct from legitimate base station traffic.

  2. Step 2Identify the rogue tower
    Look for anomalous base station identifiers (IMSI, cell ID, or similar) that don't match the legitimate network. Filter for suspicious signaling traffic.
    Learn more

    In cellular networks, base stations are identified by several hierarchical identifiers: MCC (Mobile Country Code), MNC (Mobile Network Code), LAC (Location Area Code), and Cell ID. A rogue tower would typically have an unusual or spoofed combination of these identifiers - perhaps an MCC/MNC that does not match any registered carrier in the area, or a Cell ID that does not appear in legitimate network databases.

    In Wireshark, cellular signaling protocols like UMTS, LTE RRC, NAS, or simulated equivalents can be filtered by their protocol name. The IMSI (International Mobile Subscriber Identity) is a unique 15-digit number that identifies a SIM card globally. When a rogue tower captures an IMSI, that device can subsequently be tracked and targeted. Wireshark supports filtering for specific IMSIs or cell IDs to isolate suspicious communications.

  3. Step 3Find the compromised device
    Track which device communicated with the rogue tower and extract any data it transmitted.
    Learn more

    Once the rogue tower is identified by its anomalous cell identifiers, the next step is to find which device (or devices) connected to it. In a PCAP, this might appear as a device switching from a known legitimate base station to the suspicious one, then transmitting data. Wireshark's Conversations view (Statistics > Conversations) shows all unique communication pairs, making it easy to spot devices that talked to the rogue tower endpoint.

    In real cellular security incidents, identifying a compromised device involves correlating the IMSI captured by the rogue tower with subscriber records, then working with the carrier to identify the physical subscriber. In this challenge, the "compromised device" is simply the source of the exfiltrated data - tracking its communications to the rogue tower IP or identifier will reveal the data stream containing the flag.

  4. Step 4Recover the flag
    Extract the exfiltrated data stream and decode the flag from the captured payload.
    tshark -r rogue_tower.pcap -Y '<filter>' -T fields -e data.data
    Learn more

    tshark (the command-line version of Wireshark) can extract specific fields from packets using -T fields -e field.name. The data.data field contains raw payload bytes in hexadecimal. Combined with a display filter (-Y), this lets you extract only the payload bytes from packets matching specific criteria (source IP, destination port, protocol, etc.) and pipe them into a decoding script.

    Data exfiltration in real cellular attacks can take many forms: DNS tunneling (data encoded in DNS queries), ICMP tunneling, unusual HTTP User-Agent strings, steganography in media streams, or even covert timing channels. In CTF challenges simulating this scenario, the data is usually more directly embedded - perhaps base64-encoded in a specific protocol field, or simply transmitted as plaintext in the payload of packets destined for the rogue tower's IP address.

    This class of challenge (network forensics) mirrors the work of real incident responders and threat hunters who must analyze packet captures to understand what data was stolen in a breach. Tools like NetworkMiner, Zeek, and Suricata are professional-grade alternatives to Wireshark that can automatically reconstruct file transfers and flag anomalous communication patterns at scale.

Flag

picoCTF{...}

The flag is embedded in the data exfiltrated through the rogue tower traffic.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for Forensics

More Forensics