[CTF] picoGym - NTA

Welcome back to myblog, Today i will be solving some Network Traffic Analysis challenges from picoGym platform. I really love this type of Challenges.

Wireshark doo

We are given with shark1.pcapng capture file. I looked through the packets and got this strange string Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}. Apparently its Caeser Cipher , decode it to get the flag.

Trivial Flag Transfer Protocol

We got tftp.pacpng file, its quite large in size. Whole traffic is in TFTP protocol. So what is this TFP protocol ?.

Trivial File Transfer Protocol (TFTP) is a simple protocol that provides basic file transfer function with no user authentication.

Looks like there are some files being transferred. In Wireshark File -> Export Objects -> TFTP shows the files in this captured data.

I saved all of the files to a folder.


After sometime i figured it out that its encoded in ROT13 , so simply decode it we get this text TFTPDOESNTENCRYPTOURTRAFFICSOWEMUSTDISGUISEOURFLAGTRANSFER.FIGUREOUTAWAYTOHIDETHEFLAGANDIWILLCHECKBACKFORTHEPLAN , this string is meaningful , it just lacks spaces in between words.

I also checked whats inside the program.deb , turns out it is steghide program install file. The bitmap images should be stegofiles, i tried to take a look at those files using steghide but it required password.

There is one more file , that is plan , it also have ROT13 encoded string , after decoding it i got this text IUSEDTHEPROGRAMANDHIDITWITH-DUEDILIGENCE.CHECKOUTTHEPHOTOS.

Hmm 🤔 , we need password to get contents from stegofiles , but this doesn’t make much sense. Where is the password ?.

Wait a minute , HID IT WITH - DUEDILIGENCE. Could it be DUEDILIGENCE the password ? , Lets see. picture1.bmp and picture2.bmp gave error.

On picture3.bmp , steghide extract -sf picture3.bmp and entered DUEDILIGENCE passphrase. Boom we got flag.txt.

Wireshark twoo

This one took some time to solve . I looked through the packets and couldn’t find any interesting one. This challenge got two hints , the second one is Look for traffic that seems suspicious.

OK i haven’t found any suspicious TCP or HTTP packets. But later when i looked at DNS queries , something is off. cGljb0NU.reddshrimpandherring.com.windomain.local in this specific query the subdomain looks like base64 string. And all remaining requests have base64 encoded subdomain. Of this packet , destination IP is which is google DNS.

After scrolling further down , found few requests with Destination IP I made a script to filter all DNS requests to this IP.

from base64 import b64decode
from scapy.all import *

pkts = rdpcap("shark2.pcapng")

flag = b""

def filterStr(s):
    result = ""
    for i in s.decode():
        if i == '.':
        result += i
    return result.encode() 

for packet in pkts:
    if DNSQR in packet:
        if len(packet[DNSQR].qname) <= 36 and packet[IP].dst == "":
           if packet[IP].id == 50726:

           flag += filterStr(packet[DNSQR].qname)

print("Base64 Encoded string : ", flag)
print("Decoded Flag : ", b64decode(flag))

Thats all for today , see y’all next time.