[CTF] wtfCTF - Writeups

Hello friends , welcome back to my blog. Yesterday i played wtfCTF with my team TamilCTF and we secured 4th place.


Score : 500

Description : An attacker fed Evil data into network using spoon. Can you retrieve the data fed into the network?

Hint : udp

We are given with a pcap file ( Network Traffic Capture ). As hint suggests i looked the udp traffic , at first i wasn’t able to see any actual UDP packets , most of them were either QUIC or DNS. Later i filtered the result by size , wow now we can see many UDP packets.

No wonder it didn’t showed up at first , there is no payload section in these packets. Basically they are empty UDP packets. If there is no payload where could be the data !?.

Back to description , An attacker fed Evil data into network using spoon. I didn’t had any idea what this means , my teammate Game0v3r said it could be Spoon Language. Ok , lets assume the data is in spoon language , Spoon Language consist of 0s and 1s just like binary.

I looked through the traffic again , found a weird pattern. Some packets have RESERVED BIT ON and ) in the hex view and others don’t have. Still i wasn’t able to figure out the situation.



This time my teammate Jopraveen suggested that ) could be 1 and others 0. After spending some time in Scapy interactive shell , i got the logic , the RESERVED BIT flag had string evil and others didn’t had , so evil = 1 and others 0.

Final script :-

from scapy.all import *

binary_data = ""

pkts = rdpcap("captured.pcapng")

for pkt in pkts:
    if UDP in pkt:
         if not IP in pkt:
         if pkt[IP].src == "":
             if pkt[IP].flags == 'evil':
                binary_data += "1"
                binary_data += "0"


# Decode it using https://www.dcode.fr/spoon-language

Flag : wtfctf{r3v3rs3_b1t5_4r3_v3ry_1mp0rt4nt_4nd_3v1l}