SOS, someone is torrenting on our network.
One of your colleagues has been using torrent to download
some files on the company’s network. Can you identify the
file(s) that were downloaded? The file name will be the flag,
like picoCTF{filename}. Captured traffic.
wget https://artifacts.picoctf.net/c/165/torrent.pcap
wireshark torrent.pcap
THe objective is to find the file(s) that were downloaded through bit torrent. This is likely going to be done with the hash. With bittorrent it's called the info_hash. I initially tried search by bittorrent.info_hash as a filter, but then realized it is with BT-DHT.
Then I used bt-dht and it gave me all of the bittorrent traffic.
I then looked at the first packet and expanded all the subtrees for the Bit Torrent protocol. I then scrolled through the packets until I saw info_hash.
This hash is not the correct one, so I decided to look for the info_hash that was seen the most. I did this by making info hash into a colomn.
After that I clicked the colomn (string) to sort through it based on the info_hash and looked for the one that appeared the most.
This is the info_hash that appeared the most.
I first put it into VirusTotal and found no matches so I then put it into google.
This directed me to find that it is an .iso file through Linuxtracker (first google result).
Flag: picoCTF{.....amd64.iso}