Routine System Checks (Forensics) - Detailed Writeup#

Given file: challenge.pcap

Description: Routine system checks were performed on the city’s communication network after reports of instability. Operators sent brief messages between nodes to confirm everything was running smoothly. Most of the exchanges are ordinary status updates, but one message stands out as… different.

Expected flag format: apoorvctf{...}#

1) Initial triage#

First, identify what kind of traffic exists and where unusual data volume appears.

file challenge.pcap
tshark -r "challenge.pcap" -q -z io,phs
tshark -r "challenge.pcap" -q -z conv,tcp

Key observations:

• Capture is standard Ethernet/IP/TCP (pcap, little-endian).
• Most streams are small text-like payloads.
• One stream stands out by size:
  • 127.0.0.1:33610 -> 127.0.0.1:5001
  • carries a large payload (5688 bytes) in a single packet.

That is immediately suspicious for hidden content.

2) Locate the suspicious payload#

Inspect payload-bearing frames:

tshark -r "challenge.pcap" -Y "tcp.len>0" -T fields \
  -e frame.number -e tcp.stream -e tcp.srcport -e tcp.dstport -e data.len

The suspicious packet is:

• frame 14, tcp.stream 1, 33610 -> 5001, data.len = 5688

Dump that payload as hex:

tshark -r "challenge.pcap" -Y "frame.number==14" -T fields -e data

The payload starts like:

• 3f d8 ff e0 00 10 4a 46 49 46 ...

JFIF appears, which strongly suggests JPEG data, but the first byte is 0x3f instead of expected JPEG SOI 0xff.

3) Reconstruct the hidden JPEG#

Save payload and repair first byte.

# Save raw payload from frame 14 into stream1.bin
# (done via a short Python helper calling tshark)

# Patch first byte 0x3f -> 0xff and write stream1_fixed.jpg

After patching, validation confirms a real JPEG:

file stream1_fixed.jpg

Output indicates:

• JPEG/JFIF
• grayscale image
• dimensions 99 x 99

At this point, the “different” message is not plain text; it is an embedded image sent over a TCP stream.

4) Decode the obvious visual payload (decoy)#

Running QR decode on stream1_fixed.jpg gives:

• apoorvctf{this_aint_it_brother}

But this is a fake flag.

So we continue deeper.

5) Check for second-layer hiding inside the JPEG#

Since this is a simple forensics challenge and the QR is intentionally fake, the likely next step is classic image stego.

Check with steghide:

steghide info "stream1_fixed.jpg" -p ""

Important result:

• Embedded file exists: realflag.txt
• Embedded content is compressed + encrypted

Try extraction with empty passphrase (common CTF trick for “easy” stego layers):

steghide extract -sf "stream1_fixed.jpg" -p "" -f

This successfully extracts realflag.txt.

6) Recover final flag#

Read extracted file:

cat realflag.txt

Recovered flag:

apoorvctf{b1ts_wh1sp3r_1n_th3_l0w3st_b1t}

Why this solve path is correct#

• The pcap mostly contains repetitive routine text, matching prompt narrative.
• One TCP message is anomalous by payload size and binary structure.
• That payload reconstructs into an image containing a decoy QR flag.
• The real flag is hidden one layer deeper via stego (steghide embedded file).
• Extraction is reproducible and deterministic from the original challenge.pcap.

Minimal reproducible command flow#

# 1) Find unusual stream
tshark -r "challenge.pcap" -q -z conv,tcp

# 2) Dump suspicious payload (frame 14)
tshark -r "challenge.pcap" -Y "frame.number==14" -T fields -e data

# 3) Rebuild JPEG (patch first byte to ff)
#    -> stream1_fixed.jpg

# 4) Inspect stego container
steghide info "stream1_fixed.jpg" -p ""

# 5) Extract embedded file
steghide extract -sf "stream1_fixed.jpg" -p "" -f

# 6) Read final flag
cat realflag.txt

Final flag:

apoorvctf{b1ts_wh1sp3r_1n_th3_l0w3st_b1t}