Post cover image

June 12, 2026

SecLeaf 7-Day CTF Challenge

Day 2 Write-Up

APT-0

5 min read

Overview

Day 2 done. Four challenges solved across network forensics, web exploitation, file forensics, and cryptography. Harder than Day 1, different mindset required.

Without wasting time, let's get to it!

Challenge 1: Wireshark doo dooo do doo…

Category: Forensics | Difficulty: Medium

None

Description

A .pcapng file was provided containing captured network traffic. The flag was hidden somewhere inside the packets.

Walkthrough

Downloaded the file and opened it in Wireshark. 987 packets staring back at me way too much noise to scroll through manually.

First move i thought was: filter by protocol. Typed http in the Wireshark filter bar and hit Enter. That cut it down to only HTTP traffic the kind of traffic where data gets sent in plain text, it was the only reasonable first step

Scrolled through the filtered packets looking for HTTP 200 responses. An HTTP 200 means a server actually sent something back. Found one from an external IP that wasn't part of the local network.

None

Clicked on it, looked at the bottom pane in wireshark the raw content section as seen in the diagram, found this on the response body:

Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs}

That's ROT13 seen it before. Threw it into dcode.fr and decoded it.

None

Bingo! Flag picoCTF{p33kab00_1_s33_u_deadbeef}

What I learned: Wireshark filters are everything. http cuts through the noise fast. HTTP 200 responses are where the data lives. Always check traffic going to external IPs that's where things get interesting.

Challenge 2: Local Authority

Category: Web Exploitation | Difficulty: Easy

None

Description

A login page was provided. The goal was to bypass or break the authentication.

Walkthrough

Ran curl on the URL and got the HTML back. It was a simple login form submitting to login.php.

So i decided to visit the website, and have a look at it. In the login form i submitted decoy inputs and inspected the network tab

None

To which i noticed not only did it input Login.php but two other files style.css and secure.js

The javascript file was interesting, that name alone was suspicious.so navigated to the js file and went to the response tab and got this:

None

function checkPassword(username, password) { if( username === 'admin' && password === 'strongPassword098765' ) { return true; } }

The credentials were sitting there in plain text. The entire authentication logic was running in the browser client-side meaning anyone could just read the source and log in.

Submitted the credentials and then;

Bingo! Flag picoCTF{j5_15_7r4n5p4r3n7_b0c2c9cb}

What I learned: Never trust client-side validation for security. JavaScript runs in the browser it's completely visible to anyone. Always check every file a page loads, not just the HTML. secure.js being named "secure" was the biggest red flag of all.

Challenge 3: Secret of the Polyglot

Category: Forensics | Difficulty: Medium

None

Description

A file named flag2of2-final.pdf was provided. The challenge involved a file that was two things at once.

Walkthrough

Downloaded the file. Catted it and immediately saw something strange the very first bytes said PNG, not PDF. But the file ended with full PDF structure including %%EOF.

That's what Polyglot means one file that is valid in two different formats simultaneously. This file was both a PNG image and a PDF document.

Opened the PDF side first and found this:

None

part of the flag was just staring at me, like i was supposed to be there

1n_pn9_&_pdf_249d05c0}

For the PNG side, tried a few tools. eog said unsupported format because of the mixed content. Tried feh a lightweight image viewer on Kali

None

it rendered the PNG part cleanly showing the first half picoCTF{f1u3n7

None

Put them together:

Bingo! Flag picoCTF{f1u3n7_1n_pn9_&_pdf_249d05c0}

What I learned: File extensions lie. Always check the actual file content, not just the name. Polyglot files are a real forensics technique they exploit the fact that different programs read files differently. feh is a great tool for rendering images even when the extension is wrong.

Challenge 4: la cifra de

Category: Cryptography | Difficulty: Medium

None

Description

Connected to a server via netcat which returned a long encrypted message containing a hidden flag.

Walkthrough

Got connected using:

nc fickle-tempest.picoctf.net 59443

Which gave me an Encrypted message:

Ne iy nytkwpsznyg nth it mtsztcy vjzprj zfzjy rkhpibj nrkitt ltc tnnygy ysee itd tte cxjltk

Ifrosr tnj noawde uk siyyzre, yse Bnretèwp Cousex mls hjpn xjtnbjytki xatd eisjd

Iz bls lfwskqj azycihzeej yz Brftsk ip Volpnèxj ls oy hay tcimnyarqj dkxnrogpd os 1553 my Mnzvgs Mazytszf Merqlsu ny hox moup Wa inqrg ipl. Ynr. Gotgat Gltzndtg Gplrfdo

Ltc tnj tmvqpmkseaznzn uk ehox nivmpr g ylbrj ts ltcmki my yqtdosr tnj wocjc hgqq ol fy oxitngwj arusahje fuw ln guaaxjytrd catizm tzxbkw zf vqlckx hizm ceyupcz yz tnj fpvjc hgqqpohzCZK{m311a50_0x_a1rn3x3_h1ah3xiLAH11i9}

Ehk ktryy herq-ooizxetypd jjdcxnatoty ol f aordllvmlbkytc inahkw socjgex, bls sfoe gwzuti 1467 my Rjzn Hfetoxea Gqmexyt.

Tnj Gimjyèrk Htpnjc iy ysexjqoxj dosjeisjd cgqwej yse Gqmexyt Doxn ox Fwbkwei Inahkw.

Tn 1508, Ptsatsps Zwttnjxiax tnbjytki ehk xz-cgqwej ylbaql rkhea (g rltxni ol xsilypd gqahggpty) ysaz bzuri wazjc bk f nroytcgq nosuznkse ol yse Bnretèwp Cousex.

Gplrfdo'y xpcuso butvlky lpvjlrki tn 1555 gx l cuseitzltoty ol yse lncsz. Yse rthex mllbjd ol yse gqahggpty fce tth snnqtki cemzwaxqj, bay ehk fwpnfmezx lnj yse osoed qptzjcs gwp mocpd hd xegsd ol f xnkrznoh vee usrgxp, wnnnh ify bk itfljcety hizm paim noxwpsvtydkse.

Headed over to dcode.fr to identify which type of cipher it was it gave me high odds that it was the Vigenere Cipher

None

It was time to decode, Vigenere Cipher needs keys Tried many keys including Secret, Key…etc none worked

Then i tried the most obvious one of all FLAG

None

Bingo! Flag picoCTF{b311a50_0r_v1gn3r3_c1ph3rdAAB11d9}

What I learned: Challenge names are always a hint sometimes they are literally telling you the answer. Vigenère cipher is a polyalphabetic substitution cipher that needs a key.

When stuck on the key, try obvious ones: FLAG, KEY, SECRET, the challenge name itself.

Final Thoughts

Day 2 done. Four flags down, eight total across two days.

Day 2 was genuinely harder than Day 1. Wireshark requires a different kind of patience learning to filter and read traffic rather than just running a script. The Polyglot challenge showed that files are not always what they claim to be. And Vigenère was a reminder that the challenge name is never just decoration.

See you on Day 3.

@SecLeaf Day 2

Written by George Matty (APT-0) | CyLab | SecLeaf 7-Day Challenge

"The best Hackers don't just break things, they understand them."