Forensics: PCAP Stego

Analyze a pcap for hidden data exfiltration and extract the embedded flag.

Nov 7, 2025

Forensics: PCAP Stego

Category: Forensics
Difficulty: Medium
Goal: Inspect network traffic to recover a hidden message.

Scenario

A suspicious employee is exfiltrating secrets. You obtained a packet capture. The attacker hides data using an innocuous protocol field pattern.

Task

Look for repeated small HTTP GET requests with odd query parameters.
Reassemble data from the X-Note header values in order.
Decode any layered encodings to obtain the flag.

Hints

Try Wireshark display filters on HTTP traffic.
Are the values Base64? Maybe hex? Sometimes both.
Look for delimiters or indices to reassemble.

Expected approach

Filter HTTP, export objects or follow streams.
Concatenate X-Note header fragments in order, Base64-decode to reveal flag{pcap_layers_reveal_truth}.

Solution (expand to view)

Show solution

Apply http display filter.
Sort by time; locate repeating X-Note headers.
Export headers, join by index, Base64-decode.
Result: flag{pcap_layers_reveal_truth}.

Crypto: Caesar Shift OSINT: Social Trail