# Trivial Flag Transfer Protocol

## Problem

> Figure out how they moved the flag.

## Solution

1. Open the packet capture file in wireshark. Go to File > Export Objects > TFTP.
2. If we preview the `instructions` document we find: `GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA`. Putting this into [quipqiup](https://www.quipqiup.com/) decodes it to `t ftp doesnt encrypt our traffic so we must disguise our flag transfer figure out away to hide the flag and i will check back for the plan`. The encoding is simply ROT13 so [quipqiup](https://www.quipqiup.com/) is overkill. You can use [cryptii](https://cryptii.com/) instead.
3. The `plan` document says `VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF`, which decodes to `i used the program and hid it with due diligence check out the photos`.
4. Save the `program.deb` file. Let's see if we can use it to decode the images. The `program.deb` is actually `steghide` (this is easily seen if you extract it), so install it if you don't already have it installed with `sudo dpkg -i program.deb`.
5. The hint from the `plan` document suggests that `DUEDILIGENCE` (uppercase because the encoded text is uppercase) is the password.
6. We can use `steghide` on every image included in the packet capture file. The flag is hidden in the last image `picture3.bmp`. So run `steghide extract -sf picture3.bmp -p DUEDILIGENCE` and `cat flag.txt` to get the flag.

### Flag

`picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://picoctf2021.haydenhousen.com/forensics/trivial-flag-transfer-protocol.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.