CryptoNite CTF 2026 - Shark of the Wire II - Forensics Writeup

329 words

2 minutes

CryptoNite CTF 2026 - Shark of the Wire II - Forensics Writeup

2026-03-10

Writeup

CTF

/

Security

/

Forensics

Category: Forensics Flag: TACHYON{fr4gm3nt3d_1s_n0_4un}

Challenge Description#

The sender want’s to outsmart you, can you outsmart the sender? The intercepted transmission wasn’t as straightforward this time. Instead of a single clean message, the data appears to have been broken into multiple fragments before being sent. Each piece may not make sense on its own.

Analysis#

This one was a compact packet-forensics puzzle where the important part was not finding one obvious plaintext frame, but reconstructing a message spread across fragments. I started by confirming what the file actually was so I knew I was parsing the right artifact and timestamp/link-layer assumptions.

1
file "/home/LIGHT/Downloads/chall.pcap"

1
/home/LIGHT/Downloads/chall.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (No link-layer encapsulation, capture length 524288)

After that, I checked protocol hierarchy to see whether application payload even existed and how much of it there was. The key clue here is that only five packets carried data, which immediately matches the challenge hint about fragmented transmission.

1
tshark -r "/home/LIGHT/Downloads/chall.pcap" -q -z io,phs

1
Protocol Hierarchy Statistics
2
Filter:
3

4
frame                                    frames:60 bytes:3725
5
  null                                   frames:60 bytes:3725
6
    ipv6                                 frames:10 bytes:760
7
      tcp                                frames:10 bytes:760
8
    ip                                   frames:50 bytes:2965
9
      tcp                                frames:50 bytes:2965
10
        data                             frames:5 bytes:325

With that signal, I pulled only the payload bytes from those data packets. The output was clearly chunk-like rather than final plaintext, and each ended with 0a (newline), so stripping and joining was the right reconstruction model.

1
tshark -r "/home/LIGHT/Downloads/chall.pcap" -Y "data" -T fields -e data.data

1
5645464453466c500a
2
546e746d636a526e620a
3
544e7564444e6b587a0a
4
467a58323477587a520a
5
31626e303d0a

Once those fragments were decoded from hex to text and concatenated, they formed one Base64 string, and decoding that produced the flag directly.

smile

1
tshark -r "/home/LIGHT/Downloads/chall.pcap" -Y "data" -T fields -e data.data | ~/.venvs/py312-global/bin/python "/home/LIGHT/Downloads/solve_shark2.py"

1
parts = ['VEFDSFlP', 'TntmcjRnb', 'TNudDNkXz', 'FzX24wXzR', '1bn0=']
2
joined = VEFDSFlPTntmcjRnbTNudDNkXzFzX24wXzR1bn0=
3
decoded = TACHYON{fr4gm3nt3d_1s_n0_4un}

Solution#

1
import sys
2
import base64
3

4
hex_lines = [line.strip() for line in sys.stdin if line.strip()]
5
parts = [bytes.fromhex(h).decode().strip() for h in hex_lines]
6
joined = "".join(parts)
7

8
print(f"parts = {parts}")
9
print(f"joined = {joined}")
10
print(f"decoded = {base64.b64decode(joined).decode()}")

1
tshark -r "/home/LIGHT/Downloads/chall.pcap" -Y "data" -T fields -e data.data | ~/.venvs/py312-global/bin/python "/home/LIGHT/Downloads/solve_shark2.py"

1
parts = ['VEFDSFlP', 'TntmcjRnb', 'TNudDNkXz', 'FzX24wXzR', '1bn0=']
2
joined = VEFDSFlPTntmcjRnbTNudDNkXzFzX24wXzR1bn0=
3
decoded = TACHYON{fr4gm3nt3d_1s_n0_4un}