Description
Figure out how they moved the flag.
📝 Challenge Overview
In this challenge we captured files transferred over TFTP (Trivial File Transfer Protocol) using Wireshark, inspected a recovered text file (which was ROT13-encoded), discovered a hint pointing to steganography (steghide) in an image, and finally extracted a hidden file (flag.txt) from the image using a guessed password.
🔍 Step 1: Capture TFTP files with Wireshark
- Open Wireshark and start capturing on the relevant network interface.
- After the TFTP transfer occurs, go to File → Export Objects → TFTP to save files that were transferred over TFTP.
📝 Explanation: Exporting TFTP objects from Wireshark lets you recover files that were transmitted in the capture. TFTP is an unencrypted small-file transfer protocol — anything sent can be grabbed from a packet capture.
🧾 Step 2: Inspect recovered text files and decode ROT13
- Open the
.txtfiles you downloaded from the TFTP export. - If the text looks nonsense, try applying ROT13 (a simple letter-substitution cipher). After ROT13 decoding, the message described that something was done to a photo (i.e., the photo had been tampered/modified).
📝 Explanation: ROT13 is a trivial obfuscation often used in CTFs. It shifts letters 13 places (A↔N etc.). Decoding it can reveal hints left by the challenge author.
🖼️ Step 3: Look for steganography hints and examine image files
- The decoded message pointed to a picture that had been manipulated. Among the recovered files there were several images.
- Try
steghide info picture3.bmpto ask steghide whether that image contains embedded data. The output included the textANDHIDITWITH-DUEDILIGENCE(which appears to hint thatDUEDILIGENCEis used as a password to hide the flag).
📝 Explanation: steghide is a common tool used to hide files inside images (or audio) with encryption. steghide info tells you whether an image contains embedded data and metadata that may hint at the password.
🔐 Step 4: Extract the hidden file with steghide
- Use
steghide extract -sf picture3.bmpand provide the passwordDUEDILIGENCEwhen prompted. steghidethen extractedflag.txtfrompicture3.bmp.
📝 Explanation: steghide extract pulls out data hidden in the carrier file (here picture3.bmp). If the stego data was encrypted, you must supply its correct passphrase to decrypt and extract the embedded file.
🏁 Capture the Flag
📎 The steghide extraction produced a file named flag.txt. That file contained the challenge flag.(Note: the original message says flag.txt was extracted, but the exact flag content was not provided in the source text. To view it locally run: cat flag.txt or open it in a text editor.)
📊 Summary
| Step | Command / Action | Purpose | Key Result |
|---|---|---|---|
| 1 | Wireshark → File > Export Objects > TFTP | Recover files transferred over TFTP from the capture | Downloaded TFTP files saved locally |
| 2 | ROT13 decode the recovered .txt | Reveal hidden hint text inside obfuscated file | Message indicating the photo was tampered with |
| 3 | steghide info picture3.bmp | Check whether image contains hidden data and any hints | Output showed ANDHIDITWITH-DUEDILIGENCE |
| 4 | steghide extract -sf picture3.bmp (password: DUEDILIGENCE) | Extract and decrypt embedded file from image | flag.txt extracted |
💡 Beginner Tips
- 🧰 Always save packet captures (
.pcap) and exported files in a project folder so you can re-check them later. - 🔎 If a text file looks like nonsense, try simple ciphers first (ROT13, Base64, Caesar). They’re common hint encodings.
- 📸 For images, try common steganography tools:
steghide,zsteg(for PNG),exiftool(for metadata). - 🔑 Hints to passwords often appear in nearby files or in decoded text — read everything carefully.
- 🧾 When a file extracts a
flag.txt, always open it to read the exact flag string (do not assume its format).
🎓 What you learn (takeaways)
- Captures can leak whole files when protocols like TFTP (which lack encryption) are used.
- Simple encodings like ROT13 are used to hide hints — always try small, fast decoders first.
- Steganography tools (steghide) are used to hide data inside images;
steghide infocan reveal that data exists and sometimes hint at passwords. - Combining network forensics and steganography is a valuable skill for beginner CTFs and real-world investigations.
⚡ Short explanations for commands / techniques used
- 🐟 Wireshark (File → Export Objects → TFTP)
- What: Wireshark network analyzer export function.
- Why: Retrieves files that were transferred using TFTP from the capture file.
- How (example): Open the capture, then
File → Export Objects → TFTPand save the listed files.
- 🔁 ROT13
- What: A simple substitution cipher rotating alphabet letters by 13.
- Why: Common, trivial obfuscation used to hide plain text hints.
- How (example): On Linux/macOS:
echo 'Gur Pnl' | tr 'A-Za-z' 'N-ZA-Mn-za-m'or use online ROT13 tools.
- 📷 steghide info <file>
- What: Steghide command to inspect a carrier file for embedded data.
- Why: To check whether an image or audio file contains hidden data and get metadata (which may include password hints).
- How (example):
steghide info picture3.bmp— this prints whether data is present and some hint text if any.
- 🔓 steghide extract -sf <file>
- What: Command to extract embedded data from a carrier file.
- Why: To retrieve the hidden file (e.g.,
flag.txt) stored inside the image. - How (example):
steghide extract -sf picture3.bmp— when prompted, provide the passphrase (e.g.,DUEDILIGENCE). You can also pass-p DUEDILIGENCEto provide the password inline, but be cautious (shell history).
- 🧾 cat flag.txt / open in editor
- What: Show or edit the extracted flag file.
- Why: To read the exact flag string required for scoring the challenge.
- How (example):
cat flag.txtorless flag.txtor open in your favorite text editor.