BSidesSF 2019 CTF Writeup

Michael Ikua
3 min readMar 5, 2019

CTF page:

Team: NoPwnNoGain



Can you read the flag from the PCAP?

We are provided with zippy.pcapng file.

Opening the file in wireshark and checking the stream, I see a zip file is being sent and the password of the zip as well.

I then sorted the packets with length to identify the largest as I assumed that will be our file. To get the file, select the packet then File → Export packet bytes → Save it as

unzip -P supercomplexpassword

Flag: CTF{this_flag_is_your_flag}



The flag is in the Pcap, can you find it?

We are given out.pcapng file. Inspecting the file in wireshark most of the traffic is encrypted TLS so nothing could be read. I then sorted the packets and found some ICMP packets that I had ignored had some data in them.

Instead of using wireshark to inspect each of them and get the information, I thought of using scapy to make it easier.

Here’s what the script recovered.

Decoding the string inside the <script> tags and removing the spaces I got the flag.



Get past the Jedi mind trick to find the flag you are looking for.

We are provided with a blind.apk file. First used apktool to decompile it.

apktool d blink.apk

Going into the smali folder created by apktool


There’s a r2d2.smali file. Inside there’s a string of base64 encoded image.

Decoded the image and got the flag.


All you had to do was change cookie to admin.


Twitter: ikuamike

Github: ikuamike