247CTF - Error Reporting Protocol

Post author: vkkkv
Post link: <a href="https://vkkkv.github.io/ctf/wp/247ctf-ERROR_REPORTING_PROTOCOL/" title="247CTF - Error Reporting Protocol">https://vkkkv.github.io/ctf/wp/247ctf-ERROR_REPORTING_PROTOCOL/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC8="> BY-NC-SA unless stating additionally.

Posted on 2026-02-26 Edited on 2026-02-27 In ctf Views: Disqus: Word count in article: 118 Reading time ≈ 1 mins.

Identify the flag hidden within error messages of ICMP traffic captured in a PCAP file.

Vulnerability

ICMP packets (ping replies) can carry data in their payload. The flag is exfiltrated through ICMP echo replies. ICMP is often overlooked as a potential data exfiltration channel.

Solution

#!/usr/bin/env python3
from scapy.all import rdpcap
from scapy.layers.inet import ICMP

packets = rdpcap("error_reporting.pcap")
flag = b""

for p in packets:
    # ICMP type 0 = Echo Reply (responses to ping requests)
    if p.haslayer(ICMP) and p[ICMP].type == 0 and p.haslayer("Raw"):
        flag += p["Raw"].load

with open("flag.jpg", "wb") as f:
    f.write(flag)

print("[+] Extracted data saved to flag.jpg")

The extracted data is a JPG image containing the flag.

247CTF{580e6d627470448064fa7bffd6284ddf}