I have finished the WebNet1 Challenge (Hard level) from PicoCTF, and here is the solution if you want to try:
-
Load the PCAP: Open
capture.pcapin Wireshark (or use ssldump for decryption). -
Decrypt the TLS Stream:
- In Wireshark: Go to Edit > Preferences > Protocols > TLS, and set the RSA key file to
picopico.key(under "(Pre)-Master-Secret log filename"). - Alternatively, use ssldump command-line:
This decrypts the traffic and saves it to a text file.
ssldump -r capture.pcap -k picopico.key -d > decrypted_output.txt
- In Wireshark: Go to Edit > Preferences > Protocols > TLS, and set the RSA key file to
-
Inspect the Decrypted Traffic:
- Follow the HTTP stream (right-click a relevant packet > Follow > HTTP Stream in Wireshark).
- Or search the
decrypted_output.txtfile for "picoCTF{" using Ctrl+F.
-
Find the Flag: The initial stream shows a fake header like
Pico-Flag:picoCTF{this.is.not.your.flag.anymore}—ignore it. Scroll/search further in the decrypted content to locate the real flag hidden in the traffic.
picoCTF{honey.roasted.peanuts}