X
SwampCTF 2025: Proto-Proto
Apr 01, 2025author: @wxrth
Challenge Info:
Category: Forensics
TL;DR:
I opened the pcap in Wireshark, found a custom protocol where the client asks for flag.txt using a simple binary format. Rebuilt the request with hex tools, sent it to the challenge server via UDP, and got the flag instantly.
The Challenge (Solution):
The challenge gave us a .pcap file and a server address:
chals.swampctf.com:44254
According to the description, the client and server were communicating using some unknown protocol. My job was to figure out how it worked and ask the server for the flag myself.
Step 1 - PCAP:
I opened the .pcap file using Wireshark, then filtered the packets with:
udp
Got a nice list of UDP packets. Here’s what it looked like:
Quick scan showed a ton of back-and-forth between two IPs:
172.19.0.1(client)172.19.0.2(server)
Step 2 - Follow the streammm:
I was interested in the interaction between these two IPs, so I picked one of the packets and followed the stream:
Right Click -> Follow -> UDP Stream
Result:
I switched the view to Show as Raw, and saw this:
I found this hex in the client’s request:
0208666c61672e747874
It looked like the client was asking the server for flag.txt. The server responded with something that looked like a flag (yes, I did try submitting it, but it wasn’t the correct one lol).
Step 3 - Sending the Request:
Since the server responded with some flag when the client requested flag.txt, I decided to try sending the same request myself using the hex I grabbed from Wireshark.
Here’s the command I used:
echo -n "0208666c61672e747874" | xxd -r -p | nc -u chals.swampctf.com 44254
This command converts the hex payload into raw bytes and sends it via UDP to the challenge server.
Here’s what it looked like when I ran it:
And there you go we got the flag :)