The Torrents challenge contained a single torrents.pcap file.
After opening it in Wireshark, it was easy to see that it contained a single session of a user downloading some file over Bittorrent. We were lucky in this case because there was only a single file being downloaded in a single session.
Unfortunately Wireshark doesn't have any built-in way to follow the session or export the relevant packets in an easily-parseable format. For this I used tshark, a command-line only application that can manipulate pcap files similar to Wireshark.
tshark -r torrent.pcap -R 'bittorrent.piece.data' -Tfields -e bittorrent.piece.index -e bittorrent.piece.data > packets
This prints to stdout the bittorrent.piece.index and bittorrent.piece.data fields of all packets that have the bittorrent.piece.data field and then writes that to a file. However there is still more cleanup to do because Bittorrent files are almost-always downloaded out of order.
packets = list()
f = open('packets')
data = f.read()
f.close()
for line in data.split('\n'):
packets.append({'index': line.split('\t')[0], 'data': line.split('\t')[1]})
packets = sorted(packets, key=lambda packet: packet['idx'])
f = open('torrent_out.bin')
for packet in packets:
f.write(''.join(packet['data'].split(":").decode('hex')))
f.close()
Running file on torrent_out.bin, tells us that it is a bzip file. Assuming that it is probably also a tar, I skipped straight to tar -xf.
The archive contained a piece of classical music and the key file:
t0renz0_v0n_m4tt3rh0rn