Description
Can you find the flag? shark1.pcapng.
📝 Challenge Overview
In this challenge we inspect an HTTP transfer captured by Wireshark. By following an HTTP 200 response and viewing the TCP stream, we find a ROT13‑encoded string. Decoding the ROT13 reveals the flag.
🔎 Step 1: Open the packet capture in Wireshark
- Load the
.pcap(or the capture file) into Wireshark. - Use the display filter to find HTTP responses:
http.response.code == 200or search for the stringHTTP/1.1 200 OK (text/html)in the packet list.
📝 Explanation: Filtering for HTTP 200 responses narrows packets to successful HTTP replies — a likely place to find embedded text or hints (HTML bodies often contain interesting content).
🔗 Step 2: Follow the TCP stream for the relevant packet
- Right-click the HTTP response packet of interest and choose Follow → TCP Stream.
- In the TCP stream view, inspect the HTTP body — you should see the encoded string:
cvpbPGS{c33xno00_1_f33_h_qrnqorrs}
📝 Explanation: “Follow TCP Stream” reconstructs the full conversation between client and server so you can read the HTTP payload as plain text rather than as individual packets.
🔐 Step 3: Decode ROT13
- The string from the TCP stream is ROT13-encoded. Decode it to reveal the real flag.
- Example ways to decode ROT13:
- On the command line (Linux/macOS):
echo 'cvpbPGS{c33xno00_1_f33_h_qrnqorrs}' | tr 'A-Za-z' 'N-ZA-Mn-za-m' - In Python:
import codecs print(codecs.decode('cvpbPGS{c33xno00_1_f33_h_qrnqorrs}', 'rot_13')) - Or use CyberChef / online ROT13 tool.
- On the command line (Linux/macOS):
📝 Explanation: ROT13 is a simple substitution cipher (A↔N, B↔O, …). It’s commonly used in CTFs to obfuscate flags or hints. Decoding reveals human-readable text instantly.
🏁 Capture the Flag
✅ After decoding with ROT13, the flag is:picoCTF{p33kab00_1_s33_u_deadbeef}
📊 Summary
| Step | Command / Action | Purpose | Key Result |
|---|---|---|---|
| 1 | Open capture in Wireshark | Load network traffic for analysis | Capture loaded |
| 2 | Filter/search for HTTP/1.1 200 OK and Follow → TCP Stream | Reconstruct HTTP response body | Found encoded string cvpbPGS{...} |
| 3 | ROT13 decode (e.g., tr or Python) | Decode obfuscated text | Flag picoCTF{p33kab00_1_s33_u_deadbeef} |
💡 Beginner Tips
- 🧭 When searching in Wireshark, use both display filters (like
http) and string search (Ctrl+F → Packet bytes or Strings) to locate readable content. - 🔁 If you see gibberish that looks like a pattern (letters and braces), try common encodings quickly: ROT13, Base64, hex.
- 🗂 Save interesting packets (or the whole capture) and note packet numbers — you can always reopen and re-follow streams.
- 🔐 Be careful with online decoders if the data is sensitive; prefer local tools for security.
🎓 What you learn (takeaways)
- HTTP traffic in captures often contains plain text (forms, pages, flags) — always inspect HTTP bodies.
- “Follow TCP Stream” is an essential Wireshark feature to reassemble and read payloads.
- ROT13 is a very common, trivial obfuscation used in beginner CTFs — try it early when you see odd alphabetic strings.
⚡ Short explanations for commands / techniques used
- 🐙 Wireshark — filter / search for
HTTP/1.1 200 OK (text/html)- What: A way to narrow packets to successful HTTP responses.
- Why: The HTTP body in a 200 response often contains content or hidden strings.
- How: Use display filter
httpor search the packet list for the response line.
- 🔁 Follow → TCP Stream
- What: Reconstructs the entire TCP conversation between two endpoints.
- Why: Makes the full request/response readable in one window instead of fragmented packets.
- How: Right-click a relevant packet → Follow → TCP Stream.
- 🔁 ROT13 decoding (
tror Pythoncodecs.decode(..., 'rot_13'))- What: A substitution cipher that rotates letters 13 places.
- Why: Simple obfuscation used to hide flags — trivial to reverse.
- How: Use
tr 'A-Za-z' 'N-ZA-Mn-za-m'on the shell or decode in Python.
- 🧾
cat flag.txt/ view result- What: Read the decoded flag or extracted file.
- Why: Confirm the exact flag format for submission.
- How: Output to the terminal or open in an editor.