picoCTF Solutions

March 28, 2026

Networking Tools for CTF Challenges

A hands-on guide to netcat, curl, Wireshark, and nmap for solving picoCTF web exploitation and general skills challenges.

Introduction

Networking challenges are some of the most common in picoCTF. They appear across nearly every category: general skills challenges where you must connect to a service and read output, web exploitation where you craft HTTP requests with specific headers or cookies, and forensics where you analyze captured network traffic in a pcap file. Even binary exploitation challenges are usually remote -- you exploit a service running on a server, not a local binary.

The good news is that five tools cover the vast majority of what you will need: netcat for raw TCP connections, curl for HTTP requests, Wireshark (and its CLI sibling tshark) for pcap analysis, nmap for port discovery, and your browser's built-in DevTools for inspecting and manipulating web requests without installing anything at all.

This guide shows the exact commands you will use in a CTF context, with examples drawn from real picoCTF challenges. Each tool section links directly to the challenge where it was the key to finding the flag.

Tip: All tools here run on Linux (and macOS). On Windows, use WSL2 for netcat, curl, tshark, and nmap. Browser DevTools works identically everywhere.

netcat (nc)

netcat (the nc command) is the simplest way to open a raw TCP connection to a challenge server. When picoCTF says "connect with nc challenge.picoctf.org 12345" this is the tool they mean. It sends everything you type to the server and prints everything the server sends back -- nothing more, nothing less.

Install

sudo apt install netcat-openbsd   # Debian / Ubuntu / Kali
# macOS: nc is pre-installed

Connecting to a challenge service

# Basic connection
nc challenge.picoctf.org 12345
# With a timeout (exit if idle for 5 seconds)
nc -w 5 challenge.picoctf.org 12345
# Pipe a pre-written answer directly into nc
echo '42' | nc challenge.picoctf.org 12345
# Pipe a multi-line payload file
nc challenge.picoctf.org 12345 < payload.txt

Listening mode (for reverse shells)

Some challenges involve getting a server to connect back to you. netcat can listen on a local port and accept that incoming connection.

# Listen on port 4444 and print anything that connects
nc -lvnp 4444
# -l  listen mode
# -v  verbose (print connection info)
# -n  numeric only (no DNS lookup)
# -p  port number
Tip: If you need to script the interaction -- send different messages based on what the server replies -- switch to Python with pwntools rather than trying to automate nc directly. See the Python for CTF guide for that pattern.

curl

curl is an HTTP Swiss Army knife. It sends arbitrary HTTP requests from the command line, including custom headers, cookies, POST bodies, and form data. In web exploitation challenges, curl lets you craft exactly the request the challenge expects -- something a regular browser may not allow you to do easily.

Install

sudo apt install curl   # usually pre-installed on Kali and Ubuntu

Basic GET and POST requests

# Simple GET request
curl http://challenge.picoctf.org:8080/
# Follow redirects (important for login flows)
curl -L http://challenge.picoctf.org:8080/
# POST with form data
curl -X POST http://challenge.picoctf.org:8080/login \
     -d 'username=admin&password=secret'
# POST with JSON body
curl -X POST http://challenge.picoctf.org:8080/api \
     -H 'Content-Type: application/json' \
     -d '{"username": "admin", "password": "secret"}'

Setting cookies and headers

# Send a specific cookie value
curl http://challenge.picoctf.org:8080/flag \
     -b 'admin=true'
# Multiple cookies
curl http://challenge.picoctf.org:8080/flag \
     -b 'session=abc123; role=admin'
# Custom header (e.g. a secret header the server checks)
curl http://challenge.picoctf.org:8080/flag \
     -H 'X-Secret-Header: picoCTF'
# Combine: POST with cookie and custom header
curl -X POST http://challenge.picoctf.org:8080/submit \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -b 'admin=1' \
     -d 'answer=flag'

Inspecting response headers

# Show response headers only
curl -I http://challenge.picoctf.org:8080/
# Show both headers and body
curl -i http://challenge.picoctf.org:8080/
# Save cookies from the server for reuse
curl -c cookies.txt http://challenge.picoctf.org:8080/login \
     -d 'user=admin&pass=admin'
# Send those saved cookies in the next request
curl -b cookies.txt http://challenge.picoctf.org:8080/flag

Challenges that use curl

picoCTF 2023 / more-sqlipicoCTF 2024 / bookmarkself

Wireshark / tshark

Wireshark is the standard GUI tool for analyzing packet captures (pcap files). Forensics challenges often provide a .pcap or .pcapng file containing recorded network traffic and ask you to find the flag hidden somewhere inside it -- in an HTTP response body, a DNS query, an FTP download, or a TCP stream.

tshark is Wireshark's command-line counterpart. It reads the same pcap files but outputs text, making it scriptable and usable on servers without a graphical desktop.

Install

# Wireshark (GUI)
sudo apt install wireshark
# tshark (CLI, part of the wireshark package)
sudo apt install tshark

tshark: CLI analysis

# List all packets (summary view)
tshark -r capture.pcap
# Filter for HTTP traffic only
tshark -r capture.pcap -Y 'http'
# Show only source IP, destination IP, and HTTP URI
tshark -r capture.pcap -Y 'http.request' \
       -T fields -e ip.src -e ip.dst -e http.request.uri
# Extract all HTTP response bodies
tshark -r capture.pcap -Y 'http.response' \
       -T fields -e http.file_data
# Search for the flag string across all packets
tshark -r capture.pcap -Y 'frame contains "picoCTF"'

Wireshark GUI: following a TCP stream

The most useful Wireshark feature for CTF work is Follow TCP Stream. It reassembles all the packets in a single TCP connection and shows the full conversation as readable text -- perfect for HTTP, FTP, or custom protocols.

  1. Open the pcap via File > Open.
  2. In the filter bar, type tcp or http to narrow the packet list.
  3. Right-click any packet in an interesting stream and choose Follow > TCP Stream.
  4. The popup shows the full conversation. Red text is client-to-server; blue is server-to-client. Use Save as to export just the server-side data if it is a binary file.
  5. Use Ctrl+F inside the stream view to search for picoCTF.

Useful Wireshark display filters

http                  # all HTTP traffic
http.request.method == "POST"   # POST requests only
dns                   # all DNS queries and responses
ftp || ftp-data       # FTP control and data channels
tcp.stream eq 0       # first TCP stream only
frame contains "pico" # any packet containing the string 'pico'

Challenges that use Wireshark

picoCTF 2023 / packets primer

nmap

nmap is a network port scanner. In most picoCTF challenges the host and port are given to you directly, so nmap is not always necessary. But it becomes essential when a challenge says only "connect to this IP address" and you need to discover which ports are open and what services are running on them.

Install

sudo apt install nmap   # pre-installed on Kali Linux

Basic scanning

# Scan the 1000 most common ports (fast, good starting point)
nmap challenge.picoctf.org
# Service and version detection (-sV) on all 65535 ports
nmap -sV -p- challenge.picoctf.org
# Scan a specific port only
nmap -p 8080 challenge.picoctf.org
# OS detection + service detection (requires root)
sudo nmap -O -sV challenge.picoctf.org
# Aggressive scan: OS, version, scripts, traceroute
sudo nmap -A challenge.picoctf.org

Reading nmap output

nmap prints a table of open ports with the service name and version it detected. Focus on the STATE column: open means the port is reachable. The SERVICE column tells you what protocol to use -- if it says http, open it in a browser or curl; if it says ssh, connect with ssh; an unknown service can be probed with nc.

# Example nmap output:
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9
80/tcp   open  http    Apache httpd 2.4.52
8080/tcp open  http    Werkzeug httpd 2.3 (Python 3.10)
# Result: three services to explore
# -> port 80 and 8080 in browser/curl
# -> port 22 with: ssh user@challenge.picoctf.org
Note: nmap scans can be slow on challenge instances if the network path has many hops. Use -T4 for faster timing or --min-rate 1000 to send at least 1000 packets per second. Be aware that aggressive scans may trigger rate limiting on picoCTF servers.

Browser DevTools

Every modern browser ships with a powerful suite of developer tools -- and for many web exploitation challenges, these are all you need. No installation required. Press F12 (or Cmd+Option+I on macOS) in Chrome, Firefox, or Edge to open them.

Network tab: inspecting requests

The Network tab records every HTTP request the page makes. This is where you find hidden API calls, see exactly what cookies and headers the browser sends, and inspect full request/response bodies.

  1. Open DevTools and go to the Network tab.
  2. Reload the page (the tab must be open before the page loads to capture all requests).
  3. Click any request to see its Headers, Payload, and Response panels.
  4. Right-click a request and choose Copy > Copy as cURL to get a ready-to-run curl command with all headers and cookies filled in.

Application tab: editing cookies

The Application tab (Chrome) or Storage tab (Firefox) shows cookies, localStorage, and sessionStorage. You can double-click any cookie value and edit it directly -- no curl needed.

  1. Go to Application > Cookies > [your domain].
  2. Find the relevant cookie (e.g. admin, role, session).
  3. Double-click the Value cell and type the new value.
  4. Reload the page -- the server now sees your modified cookie.

Console tab: running JavaScript

The Console tab lets you execute arbitrary JavaScript in the context of the current page. This is useful for reading cookie values, interacting with page elements, or decoding data embedded in the page source.

// Read all cookies
document.cookie
// Decode a base64 string found in the page source
atob('cGljb0NURntmbGFnfQ==')
// Submit a form field you can't normally edit
document.querySelector('input[name=admin]').value = 'true';
document.querySelector('form').submit();

Challenges that use DevTools

picoCTF 2024 / bookmarkself

Quick reference

Not sure which tool to reach for? Use this card grid as a decision guide based on the challenge type.

netcat (nc)Easy

Use case: TCP service challenges

Technique: Raw TCP connection, piping payloads

curlEasy

Use case: Web / HTTP challenges

Technique: Custom headers, cookies, POST bodies

WiresharkMedium

Use case: pcap / pcapng files

Technique: GUI packet analysis, stream following

tsharkMedium

Use case: pcap / pcapng files

Technique: CLI packet filtering and field extraction

nmapEasy

Use case: Unknown challenge hosts

Technique: Port and service discovery

Browser DevToolsEasy

Use case: Web / HTTP challenges

Technique: Cookie editing, request inspection, JS console

Recommended first-pass workflow for a networking challenge

  1. If given a host and port with no protocol hint, try nc host port first. The banner will tell you what protocol to use.
  2. If it is HTTP (port 80, 8080, or a URL is given), open it in a browser first and inspect with DevTools. Look at cookies, page source, and network requests.
  3. If you need to set specific headers or automate requests, switch to curl. Use Copy as cURL from DevTools to get a baseline command.
  4. If you receive a pcap file, open it in Wireshark, filter for http first, and use Follow TCP Stream on any interesting session. Use tshark -r file.pcap -Y 'frame contains "pico"' to quickly grep for the flag.
  5. If you only have an IP address and need to discover services, run nmap -sV ip to identify open ports.