picoCTF Forensics Guide

here's how to solve Ph4nt0m 1ntrud3r

Back to the Forensics Guides

Ph4nt0m 1ntrud3r

Name: Ph4nt0m 1ntrud3r
Description: A digital ghost has breached my defenses, and my sensitive data has been stolen! 😱💻 Your mission is to uncover how this phantom intruder infiltrated my system and retrieve the hidden flag. To solve this challenge, you'll need to analyze the provided PCAP file and track down the attack method. The attacker has cleverly concealed his moves in well timely manner. Dive into the network traffic, apply the right filters and show off your forensic prowess and unmask the digital intruder! Find the PCAP file here Network Traffic PCAP file and try to get the flag.
Author: Prince Niyonshuti N.
Tags: Easy, Forensics, picoCTF 2025, browser_webshell_solvable
Challenge from: picoCTF 2025
Files: myNetworkTraffic.pcap
Hints:
1. Filter your packets to narrow down your search.
2. Attacks were done in timely manner.
3. Time is essential

Theory

According to the description, to get the flag we have to look through a large database of network traffic, and I'd guess the flag is scattered through the network requests. So for this level I installed a program called Wireshark, just to open the pcap file, I really don't know how it works, but the program is great tbh.

Solution

Let's download traffic file, and open it with Wireshark (image):

If it doesn't load, idk do something

So it seems there is some Base64 in the end there, and if we go through the other requests, there's Base64 in each of them, let's copy these and see if converting it to text gets us somewhere:

E0@rPP Lhvf7II=
E0@rPP /5fqQIg=
E0@rPP y'fTd1V7s=
E0@rPP 16HAGdM=
E0@rPP PKHTSHY=
E4@nPP [ezF0X3c0cw==
E0@rPP 9KWLzF4=
E0@rPP /ELpxZM=
E0@rPP yhXzlxm8=
E0@rPP f548XfQ=
E4@nPP L MzE4ZGIyMg==
E,@vPP ifQ==
E0@rPP ibDmOhQk=
E4@nPP ZXzM0c3lfdA==
E0@rPP /Bbaggk=
E0@rPP RZODaYw=
E4@nPP AcGljb0NURg==
E0@rPP FGn0CTc=
E4@nPP YmhfNHJfZg==
E4@nPP RbnRfdGg0dA==
E0@rPP GIdHCVs=
E0@rPP PTyeVM4=

Let's clean that up:

Lhvf7II=
5fqQIg=
fTd1V7s=
16HAGdM=
PKHTSHY=
ezF0X3c0cw==
9KWLzF4=
ELpxZM=
yhXzlxm8=
f548XfQ=
MzE4ZGIyMg==
ifQ==
ibDmOhQk=
ZXzM0c3lfdA==
Bbaggk=
RZODaYw=
AcGljb0NURg==
FGn0CTc=
YmhfNHJfZg==
RbnRfdGg0dA==
GIdHCVs=
PTyeVM4=

Also when getting these from the traffic file, there were some characters in the way, those were easy because Base64 doesn't have slashes, spaces, or an apostrophe. So I'll use this javascript code to go through each Base64 thing we got, and decode it two times, first just normal, and the second time cutting the first character of the string to check if there was some stuff that might have been in the way. Now that I ran the code, it seems there were a lot nonsensical Base64 strings, but these were the ones that have normal flag characters:

BASE64 DECODE (Base64Decode.com)

INPUT: for(let i of list){console.log(base64_decode(i));console.log(base64_decode(i.slice(1)))}

OUTPUT:
{1t_w4s
318db22
}
_34sy_t
picoCTF
bh_4r_f
nt_th4t

Now let's try rearranging these to be a flag, here you can see I didn't do it in the first try, but eventually got to a great flag, which is correct:

picoCTF{1t_w4s_34sy_tnt_th4tbh_4r_f318db22}   # nope

picoCTF{1t_w4s_34sy_tbh_4r_fnt_th4t318db22}   # nope

picoCTF{1t_w4snt_th4t_34sy_tbh_4r_f318db22}   # yay correct

There we go! That's the flag.

I rated this level as "good"! :3

https://play.picoctf.org/practice/challenge/459

Explore My Website