Half Awake

The PCAP initially looks simple, with mostly HTTP, mDNS, and TCP traffic. I started with the HTTP exchange and found a request to /instructions.hello on awake.utctf.local. The server response contains three important hints: the mDNS names are clues, not every TCP blob is what it pretends to be, and any payload starting with PK should be treated as a file.

I then inspected the mDNS traffic. The most useful response is key.version.local, which returns the TXT value 00b7. This value is later used as the XOR key. Next, I reviewed the TCP traffic that appeared to be TLS. One of the payloads begins with the PK signature, which indicates a ZIP archive rather than real encrypted TLS application data. Exporting that payload and identifying it with file confirms that it is a ZIP file. After extracting it, I obtained two files: readme.txt and stage2.bin. The README states that not everything is encrypted the same way, which confirms that the archive is only one stage of the challenge.

Additional strings recovered from the same TCP stream, such as randomized_tls_payload_block_01 and randomized_tls_payload_block_02, reinforce the idea that this traffic is disguised data rather than legitimate TLS. Going back to the original HTTP request, the Accept-Encoding header includes gzip, xor, which points directly to the transformations used in the challenge.

Finally, I used the mDNS value 00b7 as a hexadecimal XOR key to decode stage2.bin. Applying that XOR operation reveals the flag: