picoCTF Solutions
picoCTF 2026ForensicsMedium

Rogue Tower picoCTF 2026 Solution

Published: March 20, 2026

Description

A suspicious cell tower has been detected in the network. Analyze the captured network traffic to identify the rogue tower, find the compromised device, and recover the exfiltrated flag.

Setup

Download rogue_tower.pcap

Download the PCAP file and open it in Wireshark or analyze it with tshark.

Look for unusual cell tower signaling or data exfiltration patterns.

bash
tshark -r rogue_tower.pcap
bash
wireshark rogue_tower.pcap

Solution

Walk me through it
  1. Step 1Survey the traffic
    Run tshark's protocol hierarchy stats and sort by byte count. The largest payload buckets point at where the exfiltration is happening.
    bash
    tshark -r rogue_tower.pcap -q -z io,phs
    bash
    # Eyeball which protocol carries the most bytes - that's usually the exfil channel
    Learn more

    tshark -z io,phs emits a protocol hierarchy statistics tree with packet and byte counts per protocol. Reading top-down by bytes tells you where the volume is. A rogue tower that dumps captured data tends to dominate one bucket: an HTTP user-agent stuffed with hex, an unusually chatty DNS subdomain stream, or a flood of ICMP echoes carrying paylod.

    Rogue cell towers (IMSI catchers, Stingrays) impersonate base stations. 2G/3G authentication is one-way: the phone proves itself to the network, the network does not prove itself back. So a phone happily latches onto whichever station has the strongest signal, and the rogue tower can sniff calls, SMS, and data, or reroute them through itself.

    See Wireshark and PCAP for CTF for the broader pcap-triage workflow and networking tools for CTF for the supporting kit.

  2. Step 2Identify the rogue tower
    Filter on cellular signaling protocols and pull out the MCC/MNC fields. The rogue tower's MCC/MNC will not match any real carrier in the capture's region - that mismatch is the fingerprint.
    bash
    # Show NAS frames with non-US MCCs (US carriers use 310-316)
    bash
    tshark -r rogue_tower.pcap -Y 'nas && !(e212.mcc == 310)' -V | less
    bash
    # UMTS/LTE base stations and their advertised IMSI
    bash
    tshark -r rogue_tower.pcap -Y 'umts && imsi' -T fields -e e212.imsi -e e212.mcc -e e212.mnc
    Learn more

    Cellular base stations identify themselves with a four-tuple: MCC (Mobile Country Code, 3 digits), MNC (Mobile Network Code, 2-3 digits), LAC (Location Area Code), and Cell ID. The MCC/MNC pair is the carrier signature.

    • US carriers: MCC = 310-316. Verizon = 311-480, AT&T = 310-410, T-Mobile = 310-260.
    • UK: MCC = 234-235. Germany = 262. Japan = 440-441.
    • Anything outside the country's registered range, or any MCC/MNC that does not appear in the GSMA register (mcc-mnc.com), is anomalous.

    A rogue tower in a US capture might advertise MCC 001 (test/reserved), MCC 999 (private/test), or a real foreign carrier code. In Wireshark, useful display filters: nas && !(e212.mcc == 310), umts && imsi, gsm_a.dtap. The IMSI is a 15-digit subscriber identifier (3 MCC + 2-3 MNC + 9-10 MSIN); once captured it lets the attacker track that handset across cells.

  3. Step 3Find the compromised device
    Dump every IMSI seen attaching to the rogue tower's cell. The repeating one is the compromised handset.
    bash
    tshark -r rogue_tower.pcap -Y 'gsm_a_dtap.imsi' -T fields -e gsm_a_dtap.imsi | sort -u
    bash
    # Cross-reference with the suspicious MCC/MNC to isolate the victim
    Learn more

    Once you have the rogue tower's cell identifiers, every LocationUpdate or Attach request from a device to that cell is a connection event. Wireshark's Statistics > Conversations view groups by source/destination pair - the device that talks the most to the rogue is your target.

    In real cellular incidents, this is the step where investigators correlate captured IMSIs with carrier subscriber records to identify the actual person. In the CTF version, the compromised device is the IMSI whose data stream carries the flag-bearing payload.

  4. Step 4Recover the flag
    Look at the channels exfil typically rides on (DNS query strings, ICMP payload, HTTP URI/User-Agent), pull the payload bytes, and decode.
    bash
    # DNS tunneling: subdomains carry hex/base64
    bash
    tshark -r rogue_tower.pcap -Y 'dns.qry.name' -T fields -e dns.qry.name
    bash
    # ICMP tunneling: payload carries raw bytes
    bash
    tshark -r rogue_tower.pcap -Y 'icmp' -T fields -e data.data
    bash
    # HTTP exfil: User-Agent and URI
    bash
    tshark -r rogue_tower.pcap -Y 'http' -T fields -e http.user_agent -e http.request.uri
    Learn more

    Common exfil channels and where to grep them:

    • DNS tunneling: data hex- or base32-encoded into dns.qry.name subdomain labels.
    • ICMP tunneling: data packed into echo request payloads, visible as data.data on type 8/0.
    • HTTP: request URI path, query parameters, User-Agent, or Cookie header carrying base64 chunks.
    • Custom TCP/UDP: payload of an unusual port pair, raw or lightly obfuscated.

    tshark -T fields -e <name> dumps just the field of interest as text, ready to pipe into a Python decode. NetworkMiner, Zeek, and Suricata automate file-carving and protocol anomaly detection at scale, but for a single PCAP, tshark plus a Python decoder is faster.

Flag

picoCTF{...}

The flag is embedded in the data exfiltrated through the rogue tower traffic.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for Forensics

Related reading

What to try next