Plaid CTF “Torrents” write-up


This post is about a challenge from the Plaid CTF computer security competition. Check out this blog post for more information about the competition in general.

Challenge (200)

It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?

The file is a wireshark capture containing a torrent transfer between 2 peers. We had to extract the data inside the pieces and sort them in the right order.


My solution is not as pretty as Squall’s or Michael’s but I’m pretty sure I’m the only one crazy enough that did it with Powershell instead of Python.

[powershell]# Ask tshark
$raw= & ‘tshark.exe’ -r torrent.pcap -R ‘’ -T fields -e bittorrent.piece.index -e -E separator=/s

# Split into pieces
$data = @{}
$raw -split ‘[nn]’ | ForEach-Object {
$packet = $_ -split ‘ ‘
if ($data.ContainsKey($packet[0])) { # There are 2 packets for each piece so we concat them here
$data.set_Item($packet[0], (‘{0}:{1}’ -f $data.get_Item($packet[0]), $packet[1]))
} else {
$data.Add($packet[0], $packet[1])

# Sort and concat
$HexString = [String] ”
$data.GetEnumerator() | Sort-Object Name | Select-Object Value | ForEach-Object {
$HexString += (‘{0}:’) -f $_.Value

# Convert hex to byte
$count = $hexString.Length
$byteCount = $count/3
$bytes = New-Object byte[] $byteCount
$byte = $null

$x = 0
for ( $i = 0; $i -le $count-1; $i+=3 )
$bytes[$x] = [Byte]::Parse($hexString.Substring($i,2), [System.Globalization.NumberStyles]::HexNumber)
$x += 1

# Write in a file
set-content -encoding byte ‘output’ -value $bytes[/powershell]

It was a bzipped file with a mp3 and a key containing the answer: t0renz0_v0n_m4tt3rh0rn.
Fun was had.