You Said What

Challenge

Content preserved from the original writeup source. Minimal normalization was applied to fit platform format.

Solution

Original Writeup Content (Preserved)

You Said What - CTF Writeup

Challenge Summary

Given a packet capture file, recover the hidden message and final flag.

Files

yousaidwhat.pcapng

Approach

Checked the capture contents and looked for useful protocols and artifacts.
Found repeated HTTP decoy requests, then identified successful HTTP downloads on port 8000.
Carved transferred files from the pcap.
Analyzed carved images and metadata for hidden clues.
Used the recovered clue as the ZIP password.
Extracted final text file and recovered the flag.

Key Evidence

Decoy requests:
- /decoy1.txt
- /decoy2.txt
Real downloads:
- /whoareyoucalling.zip
- /whossliming.jpg
- /stinky.jpeg
- /chicken.jpg

Useful Commands

# Carve files from capture
foremost -i yousaidwhat.pcapng -o carved

# Inspect carved files
ls -l carved/jpg carved/zip
exiftool carved/jpg/*.jpg

# Decode EXIF hex clue found in 00000315.jpg
printf '6e6f626f64792063616c6c73206d6520636869636b656e21' | xxd -r -p
# output: nobody calls me chicken!

# Unzip using recovered password
mkdir -p carved/zip_out
unzip -o carved/zip/00000045.zip -d carved/zip_out
cat carved/zip_out/whoareyoucalling.txt

Solve Chain

EXIF analysis of carved/jpg/00000315.jpg revealed a hex string in the Copyright field.
Hex decoded to:
- nobody calls me chicken!
That phrase was used as the ZIP password for carved/zip/00000045.zip.
Extracted file whoareyoucalling.txt contained the final flag.

Final Flag

UDCTF{wh4ts_wr0ng_mcf1y}

Challenge​

Solution​

Original Writeup Content (Preserved)​

You Said What - CTF Writeup

Challenge Summary​

Files​

Approach​

Key Evidence​

Useful Commands​

Solve Chain​

Final Flag​