> For the complete documentation index, see [llms.txt](https://picoctf2021.haydenhousen.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://picoctf2021.haydenhousen.com/forensics/trivial-flag-transfer-protocol.md). # Trivial Flag Transfer Protocol ## Problem > Figure out how they moved the flag. ## Solution 1. Open the packet capture file in wireshark. Go to File > Export Objects > TFTP. 2. If we preview the `instructions` document we find: `GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA`. Putting this into [quipqiup](https://www.quipqiup.com/) decodes it to `t ftp doesnt encrypt our traffic so we must disguise our flag transfer figure out away to hide the flag and i will check back for the plan`. The encoding is simply ROT13 so [quipqiup](https://www.quipqiup.com/) is overkill. You can use [cryptii](https://cryptii.com/) instead. 3. The `plan` document says `VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF`, which decodes to `i used the program and hid it with due diligence check out the photos`. 4. Save the `program.deb` file. Let's see if we can use it to decode the images. The `program.deb` is actually `steghide` (this is easily seen if you extract it), so install it if you don't already have it installed with `sudo dpkg -i program.deb`. 5. The hint from the `plan` document suggests that `DUEDILIGENCE` (uppercase because the encoded text is uppercase) is the password. 6. We can use `steghide` on every image included in the packet capture file. The flag is hidden in the last image `picture3.bmp`. So run `steghide extract -sf picture3.bmp -p DUEDILIGENCE` and `cat flag.txt` to get the flag. ### Flag `picoCTF{h1dd3n_1n_pLa1n_51GHT_18375919}` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://picoctf2021.haydenhousen.com/forensics/trivial-flag-transfer-protocol.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.