The "Weird Python" Capture the Flag Series - Part 1

In this blog series, we attempt to complete a Capture The Flag (CTF) challenge posted by The Honeynet Project using Gigasheet. While the challenge is quite dated (2015), the analysis techniques we showcase in this blog are still relevant today.

The challenge is called "Weird Python" and is available for public download through The Honeynet Project's website. It presents a series of twelve questions that one must answer by analyzing a packet capture file. Part 1 of this blog provides the analysis methodology to find the answers to questions 1 and 2. Check back for Part 2, where we continue to solve the challenge questions.

CTF Tutorial Weird Python Example

Follow along with our public sheet located here!

The Challenge

Below is the challenge excerpt, copied from

"Your boss John went to a BYOD conference lately. Yeah, he's that kind of security guy… After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn't make much sense out of "random" payloads yet. Today, Pete didn't come to work. Five minutes ago, he sent a company-wide mail with a total of four words: "F*** you, I quit. ". What has happened!?"

The questions we answer in this blog are:

  • BYOD seems to be a very interesting topic. What did your boss do during the conference?
  • What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?

Sign Up for Free

The Analysis

Question 1: BYOD seems to be a very interesting topic. What did your boss do during the conference?

We begin the analysis by uploading the PCAP file to Gigasheet and scanning through its contents.

CTF Tutorial Gigasheet upload and scan

Gigasheet Library

We can see the timestamp in the FRAME.TIME_EPOCH column is in Unix time format, which we can translate to CDT (or other time zones) using the Convert Unix time function. Gigasheet then adds a new column labeled FRAME.TIME_EPOCH-UTC, which includes the translated time.

Convert Unix Time

We can see at first glance that most of the traffic is HTTPS over 443, which may not be very useful due to being encrypted. We can add a filter to the INFO column to exclude "443 →" and "→ 443", which hides sent and received traffic over port 443. We also want to exclude any rows displaying "Application Data," in the INFO column, which provides little value for now.

Filter in Gigasheet

We can continue filtering out data that may not be useful by right-clicking the data object and selecting "Filter to exclude this".

Filter to exclude this

After several rounds of filtering, we start seeing some interesting traffic, including DNS queries and HTTP requests/responses.

Interesting Traffic Logs

On rows 204-205, we can see a DNS query and response for, which may help answer the first challenge question. We can flag these rows as "Suspicious" to make them easier to find in future analyses. The DNS request comes from, which is an Internet gateway.

Flag rows as good, bad, or suspicious

Scrolling down to row 619, we can see that the boss accessed a webpage, and closer inspection of the HTML close reveals that website's title: "reddit: the front page of the internet"

Suspicious row in log file

On rows 5028-5029, we see a DNS query and response for, returning IP address

DNS Query and Response in Log File

In rows 5033-5041, we see an HTTP GET request to the IP address of (, followed by an HTTP 200 OK response from the server in row 5041. The response includes a webpage titled: "The Way of the Ninja: the Official Site of N and N+".

HTTP 200 OK Response in Log File

We now have enough information to answer the first question:

What did the boss do during the conference? Among other things, the boss was browsing Reddit and online game sites.

Question 2: What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?

A deeper analysis of the HTML code returned by in row 5041 reveals that hosts several games for download, as indicated by the HTML code below:

<...alt="N, the free flash game that started it all. Download it here!">

<...alt="N+XBLA released February 20th 2008. Download it now!">

Games for Download indicated in HTML

To determine whether the boss downloaded anything from this website, we filter the INFO column for HTTP GET requests, which leads us to row 5675, where the boss downloads from

Filter Info Column
HTTP GET Requests

Since the user initially communicated with IP address, we need to ensure that the two IP addresses, and, relate to the same user action. We undo the filters and search using the search function to find the beginning of the session.

In rows 5668-5669 and 5671-5672, we see a series of DNS queries and responses for, returning IP addresses and, followed by the file download.

Undo Filters and Search File Name

Searching using the search function leads to row 5424, where we see a link to hxxp:// in the initial website visited by the user.

Link in Log File

We can now answer the second question:

Question 2: What method did the attacker use to infect the boss' computer? List the IP addresses.

The method appears to be a malicious program, likely a trojan. The IP addresses involved in this activity are,, and

Continue the hunt with for Part 2 of our three blog series.

You can do all of this for free. Get started today!

The ease of a spreadsheet with the power of a database, at cloud scale.

No Code
No Database
No Training
Sign Up, Free

Similar posts

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.