329 words
2 minutes
CryptoNite CTF 2026 - Shark of the Wire II - Forensics Writeup
Event Archive

CryptoNite CTF 2026

Posts, writeups, and notes grouped under this event.

Archive/8 posts
Events/CryptoNite CTF 2026
2026-03-10
Writeup
CTF
/
Security
/
Forensics

Category: Forensics Flag: TACHYON{fr4gm3nt3d_1s_n0_4un}

Challenge Description#

The sender want’s to outsmart you, can you outsmart the sender? The intercepted transmission wasn’t as straightforward this time. Instead of a single clean message, the data appears to have been broken into multiple fragments before being sent. Each piece may not make sense on its own.

Analysis#

This one was a compact packet-forensics puzzle where the important part was not finding one obvious plaintext frame, but reconstructing a message spread across fragments. I started by confirming what the file actually was so I knew I was parsing the right artifact and timestamp/link-layer assumptions.

file "/home/rei/Downloads/chall.pcap"
/home/rei/Downloads/chall.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (No link-layer encapsulation, capture length 524288)

After that, I checked protocol hierarchy to see whether application payload even existed and how much of it there was. The key clue here is that only five packets carried data, which immediately matches the challenge hint about fragmented transmission.

tshark -r "/home/rei/Downloads/chall.pcap" -q -z io,phs
Protocol Hierarchy Statistics
Filter:

frame                                    frames:60 bytes:3725
  null                                   frames:60 bytes:3725
    ipv6                                 frames:10 bytes:760
      tcp                                frames:10 bytes:760
    ip                                   frames:50 bytes:2965
      tcp                                frames:50 bytes:2965
        data                             frames:5 bytes:325

With that signal, I pulled only the payload bytes from those data packets. The output was clearly chunk-like rather than final plaintext, and each ended with 0a (newline), so stripping and joining was the right reconstruction model.

tshark -r "/home/rei/Downloads/chall.pcap" -Y "data" -T fields -e data.data
5645464453466c500a
546e746d636a526e620a
544e7564444e6b587a0a
467a58323477587a520a
31626e303d0a

Once those fragments were decoded from hex to text and concatenated, they formed one Base64 string, and decoding that produced the flag directly.

smile

tshark -r "/home/rei/Downloads/chall.pcap" -Y "data" -T fields -e data.data | ~/.venvs/py312-global/bin/python "/home/rei/Downloads/solve_shark2.py"
parts = ['VEFDSFlP', 'TntmcjRnb', 'TNudDNkXz', 'FzX24wXzR', '1bn0=']
joined = VEFDSFlPTntmcjRnbTNudDNkXzFzX24wXzR1bn0=
decoded = TACHYON{fr4gm3nt3d_1s_n0_4un}

Solution#

# solve_shark2.py
import sys
import base64

hex_lines = [line.strip() for line in sys.stdin if line.strip()]
parts = [bytes.fromhex(h).decode().strip() for h in hex_lines]
joined = "".join(parts)

print(f"parts = {parts}")
print(f"joined = {joined}")
print(f"decoded = {base64.b64decode(joined).decode()}")
tshark -r "/home/rei/Downloads/chall.pcap" -Y "data" -T fields -e data.data | ~/.venvs/py312-global/bin/python "/home/rei/Downloads/solve_shark2.py"
parts = ['VEFDSFlP', 'TntmcjRnb', 'TNudDNkXz', 'FzX24wXzR', '1bn0=']
joined = VEFDSFlPTntmcjRnbTNudDNkXzFzX24wXzR1bn0=
decoded = TACHYON{fr4gm3nt3d_1s_n0_4un}
CryptoNite CTF 2026 - Shark of the Wire II - Forensics Writeup
https://blog.rei.my.id/posts/74/cryptonite-ctf-2026-shark-of-the-wire-ii-forensics-writeup/
Author
Reidho Satria
Published at
2026-03-10
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari