Rating:

Reading the link provided we can see tha the `info_hash` value in the `bt-dht` packets is going to be unique per torrent.

From that information you can pull each of these fields with tshark and output as json

```bash
tshark -r torrent.pcap -Y 'bt-dht.bencoded.string=="info_hash"' -Tjson -e 'bt-dht.bencoded.string' > output.json
```

We can then use some bash tools to clean up the output

```bash
cat output.json \
| jq '.[] | ._source.layers' \
| grep info_hash -A1 \
| awk '{print $1}' \
| sort \
| uniq \
| sed -E 's/"?(.{40})"?,?/\1/g' \
| grep -E '.{40}' \
| tr '\n' ' ')"
```

Following this we can manually search each hash in google to find reference to hash `e2467cbf021192c241367b892230dc1e05c0580e` on [linuxtracker.org](https://linuxtracker.org/index.php?page=torrent-details&id=e2467cbf021192c241367b892230dc1e05c0580e).

_Note: the `solve.py` script in this folder can automate the discovery._

`picoCTF{ubuntu-19.10-desktop-amd64.iso}`

Original writeup (https://github.com/elemental-unicorn/picoctf-2022/tree/master/forensics/torrent-analyze).