# Spell Sequence - Network Forensics Challenge Writeup ## Challenge Information - **Name:** Spell Sequence - **Points:** 200 - **Category:** Forensics/Network Analysis - **File:** sniffed.pcap ## Challenge Description A shattered sending stone was recovered from ruins. The Dragon Cult hides secrets not in plain text, but within the structure of their communication. Numbers woven into the network traffic flow form a pattern. The message is hidden in how the packets travel, not in their content. ## Solution ### Initial Analysis The PCAP file contains 140 packets. Initial inspection shows standard network traffic (DNS queries to google.com, TCP handshakes, etc.) with no obvious flag in packet payloads. ### Key Observations 1. Packet lengths vary significantly (56 to 55962 bytes) 2. Some packets contain only ASCII printable data in certain positions 3. The last byte of each packet is the critical hiding place ### Exploitation Parse the PCAP and extract the last byte from each packet: ```python import struct def parse_pcap(filename): with open(filename, 'rb') as f: f.read(24) # Skip global header packets = [] while True: packet_header = f.read(16) if len(packet_header) < 16: break _, _, incl_len, _ = struct.unpack('IIII', packet_header) packet_data = f.read(incl_len) if len(packet_data) < incl_len: break packets.append(packet_data) return packets packets = parse_pcap('sniffed.pcap') # Extract last byte from each packet message = ''.join([chr(pkt[-1]) if 32 <= pkt[-1] <= 126 else '' for pkt in packets]) print(message) ``` ### Result Packets 9-41 contain printable ASCII characters in their last byte: - Packet 9-41: `3h2pHv1T!"bOb|&4}` Additional characters after packet 41 are irrelevant padding. The closing brace `}` at packet 41 marks the end of the flag content. ### Flag ``` HTB{3h2pHv1T!"bOb|&4} ``` ## Key Techniques - PCAP manual parsing - Byte-level packet analysis - Pattern recognition in packet structure - ASCII character extraction from specific byte positions