Chaos — TCP Payload Reconstruction from PCAP
Filter a PCAP for TCP packets, decode each packet’s payload from hex, and concatenate them in order — the resulting byte stream contains the flag.
Pcap
SSA0x42 — XOR Key Recovery from Known-Plaintext PCAP Headers
Two known-plaintext byte sequences (k and l) from the PCAP header XOR to reveal the repeating key. XOR the encrypted flag block with that key to recover the plaintext.
That's a Lot of Fs — Flag in Ethernet Destination MAC via Custom EtherType
Filter Ethernet frames with EtherType 0xffff — the custom protocol used by this challenge — collect the destination MAC address from each matching frame, interpret the first two hex bytes as ASCII, and concatenate to reveal the flag.
Useless — Flag Hidden in PCAPNG via strings
Run strings on the PCAPNG and grep for ‘flag’ — the flag is stored as plain ASCII inside the capture file and visible without any packet parsing.