forensicsfreeeasy-medium

Loud Packets

tjctf

Task: pcap with Bluetooth audio packets (custom BTAV protocol over UDP) arriving in shuffled order, plus noise decoy packets. Solution: filter BTAV packets, reorder by 4-byte sequence number, concatenate 600-byte payloads into WAV file, read flag from spectrogram.

$ ls tags/ techniques/

steganography pcap audio wav spectrogram udp bluetooth btav packet_reassembly

pcap_analysisspectrogram_steganographycustom_protocol_parsingpacket_reordering_by_sequence_numberwav_reconstruction

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Loud Packets — TJCTF 2026

Description

I was transferring a file with very sensitive info over bluetooth, but someone got ahold of the packets...

Given: chall.pcap (314 KB) — a network capture containing Bluetooth audio data encapsulated in custom UDP packets. The goal is to reconstruct the original audio and extract the hidden flag.

Analysis

PCAP Structure

The capture contains 509 UDP packets with no native Bluetooth/OBEX protocols — all traffic is eth:ip:udp:data:

459 BTAV packets: 192.168.1.100 → 192.168.1.200 (port 50000→62000), each 650 bytes total (608 bytes UDP payload)
50 noise packets: random 10.0.0.x → 10.0.1.x addresses with varying data sizes — decoys that don't contribute to the solution

tshark -r chall.pcap -q -z io,phs
# Shows: eth:ip:udp:data (508 packets) + one ayiya packet

BTAV Packet Format

Each BTAV packet's 608-byte UDP payload has a fixed structure:

Offset	Size	Field
0–3	4 bytes	Magic: `BTAV` (0x42544156)
4–7	4 bytes	Sequence number (big-endian uint32)
8–607	600 bytes	Audio payload chunk

Critical discovery: sequence numbers range from 0 to 458 (all 459 values present, all unique), but they arrive in shuffled order. The packets must be sorted by sequence number to reconstruct the original file.

Reconstructed Audio

Sorting by sequence number and concatenating the 600-byte payloads produces a valid WAV file:

Format: RIFF PCM
Channels: 1 (mono)
Sample rate: 44100 Hz
Bits per sample: 16
Total size: ~275 KB (459 × 600 = 275,400 bytes)

The WAV header (RIFF....WAVEfmt ) appears at the start of the reassembled data (sequence number 0).

Solution

Step 1: Extract and reassemble BTAV packets

...

$ grep --similar

Similar writeups

[forensics][Pro]Синий иней (Blue Frost)— duckerz
[forensics][Pro]Name Calling— bluehensctf
[forensics][Pro]Download— SPbCTF
[forensics][Pro]Сверхсекретный Шпион— duckerz
[misc][Pro]good-vibes— dicega