Skip to content
leftermv.com 
One communications protocol over certain ports to rule them all.


Flag format: ctf{sha256}


Goal: In this challenge you receive a capture dump and your goal is to find the attacker techniques used to leak the flag.

  • If we inspect the flag.pcap file in Wireshark, we see some TCP packets mixed in the UDP sequence.

  • I’ve filtered by tcp.

  • The file contains 138 packets of TCP(len(flag)*2 type.

  • I’ve extracted them using tshark

tshark -r flag.pcap -Y "tcp" -e tcp.dstport -Tfields > extracted
  • Then, using Python, I’ve assembled the flag.
arr = open("extracted", "r").read().split("\n")[:-1]
arr = [int(i) or i in arr]


flag = ''
i = 0


while i < len(arr):
  if arr[i + 1] == 1337:
    flag += chr(arr[i] * 16 + 0xb)
  else:
    flag += chr(arr[i] * 16 + arr[i+1])
  i += 2


print(flag)
python3 solve.py
ctf{REDACTED}