Description
We recovered a suspicious packet capture file that seems to contain a transferred file. The sender was kind enough to also share the script they used to encode and send it. Can you reconstruct the original file? Download the PCAP: packets.pcap and encoding encrypt.py .
Download packets.pcap and encrypt.py.
Open the PCAP in Wireshark and read encrypt.py to understand the encoding scheme.
wireshark packets.pcap &
cat encrypt.py
Solution
- Step 1Read the encoding scriptOpen encrypt.py to understand the encoding scheme. The encoder adds a fixed key of 42 to each byte, modulo 256: encoded = (original + 42) % 256. The encoded bytes were then sent over the network and captured in the PCAP.cat encrypt.py
- Step 2Extract the TCP stream from the PCAPOpen the PCAP in Wireshark and follow the TCP stream to extract the raw encoded bytes. Export the stream as raw binary data.wireshark packets.pcap &# Right-click a packet → Follow → TCP Stream → Save as Raw# Or use tshark:tshark -r packets.pcap -q -z follow,tcp,raw,0 | tail -n +7 | tr -d '\n' | xxd -r -p > encoded.bin
- Step 3Reverse the encoding (subtract key 42)The decoding is the mathematical inverse: original = (encoded - 42) % 256. Apply this to every byte of the extracted stream to recover the original file.python3 << 'EOF' with open("encoded.bin", "rb") as f: encoded = f.read() key = 42 decoded = bytes((b - key) % 256 for b in encoded) with open("decoded.bin", "wb") as f: f.write(decoded) print(decoded.decode(errors="replace")) EOF
- Step 4Read the flagThe decoded output contains the flag. If the decoded file is an image or archive, open it to find the flag inside.cat decoded.binfile decoded.bin
Flag
picoCTF{s1l3nt_str34m_...}
The encoding scheme is encoded = (original + 42) % 256 -- extract the TCP stream from the PCAP, then reverse it with (encoded − 42) % 256 per byte.