We are given another packet capture. The challenge mentions a "hidden service" and asks us to recover the secret order.
In Wireshark, the host
|<|\|0<|<|<|\|0<|<
Welcome home!
cscg@cscg-server>
The weird text looks like
We can extract the destination ports with
tshark -r intro-forensics-2.pcapng \
-Y "ip.dst == 45.142.177.160 && tcp.flags.syn == 1" \
-T fields -e tcp.dstport
This gives us:
17235
17223
31595
28208
25451
26990
26463
28526
24424
25953
30309
28275
24420
12336
12402
32010
Each port fits into two bytes. If we convert each number to big-endian bytes and decode it as ASCII, the flag appears:
python3 -c "import sys; print(''.join(int(p).to_bytes(2, 'big').decode() for p in sys.stdin))"
CSCG{kn0cking_on_heavens_d000r}