260 words
1 minutes
CryptoNite CTF 2026 - Shark of the Wire I - Forensics Writeup
Event Archive

CryptoNite CTF 2026

Posts, writeups, and notes grouped under this event.

Archive/8 posts
Events/CryptoNite CTF 2026
2026-03-10
Writeup
CTF
/
Security
/
Forensics

Category: Forensics Flag: TACHYON{n3tw0rking_is_4un}

Challenge Description#

We intercepted a suspicious local transmission on a developer’s machine. The communication was brief. Almost silent. Can you uncover what was transmitted?

Analysis#

This challenge was a clean forensic packet-inspection task: identify what was actually transmitted and prove it from capture data. I started by verifying the artifact type so I knew I was working with a raw packet capture and not a wrapper format.

file "challenge.pcap"
challenge.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (No link-layer encapsulation, capture length 524288)

After type validation, I pulled printable content as a quick signal check. This is useful in tiny captures where plaintext payloads often leak directly.

strings "challenge.pcap" | rg -i "flag|ctf|tachyon|key|secret|password"
TACHYON{n3tw0rking_is_4un}

The string hit looked promising, but I still needed to confirm provenance from a real packet payload. I used protocol hierarchy statistics to see whether meaningful application data existed and where.

tshark -r "challenge.pcap" -q -z io,phs
Protocol Hierarchy Statistics
Filter:

frame                                    frames:12 bytes:763
  null                                   frames:12 bytes:763
    ipv6                                 frames:2 bytes:152
      tcp                                frames:2 bytes:152
    ip                                   frames:10 bytes:611
      tcp                                frames:10 bytes:611
        data                             frames:1 bytes:83

That single TCP data frame is the key clue. I then filtered on packets with TCP payload and printed frame number, stream index, and raw payload bytes to tie the candidate flag to one concrete transmission event.

smile

tshark -r "challenge.pcap" -Y "tcp.payload" -T fields -e frame.number -e tcp.stream -e data
7	1	54414348594f4e7b6e33747730726b696e675f69735f34756e7d0a

The payload hex in frame 7 decodes directly to ASCII TACHYON{n3tw0rking_is_4un} with trailing newline (0a). That proves the flag was transmitted in plaintext over the captured local TCP session.

Solution#

tshark -r "challenge.pcap" -Y "tcp.payload" -T fields -e data
54414348594f4e7b6e33747730726b696e675f69735f34756e7d0a
payload_hex = "54414348594f4e7b6e33747730726b696e675f69735f34756e7d0a"
print(bytes.fromhex(payload_hex).decode().strip())
~/.venvs/py312-global/bin/python solve.py
TACHYON{n3tw0rking_is_4un}
CryptoNite CTF 2026 - Shark of the Wire I - Forensics Writeup
https://blog.rei.my.id/posts/73/cryptonite-ctf-2026-shark-of-the-wire-i-forensics-writeup/
Author
Reidho Satria
Published at
2026-03-10
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari