The Swedish national CERT published a CTF on their website to kick of the cyber security month in the form of a zip-file: CERT-SE_challenge2020.zip

Step 1

Open pcap in Wireshark. Most of the activity is between 192.168.122.156 and 192.168.122.129. Let's filter by it.

ip.addr == 192.168.122.156 && ip.addr == 192.168.122.129

Chat

tcp.stream eq 7

The interesting parts:

:Sp3ccyF4n!user@192.168.122.177 JOIN :#RetroForum
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Yo!
PRIVMSG #RetroForum :Yo!/Sup?
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Sup?
PRIVMSG #RetroForum :I was thinking about what you said earlier. I still can't accept that you perfer the Z80?
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :What now??? The Spectrum is waaaaay faster than the C64!!!
PRIVMSG #RetroForum :Sure the CPU, yes. But hardware sprites, a soundship that doesn't sound like a cat beeing strangled, and the possibility for for paralax scrolling?
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :You're just talking about superficial "flair". It's like putting makeup on a pig, it's still slow...
PRIVMSG #RetroForum :Dude you're soooooo wrong!!! Just have a look at the demo I uploaded to the FTP earlier, I'll PM you the password with our usual "encryption".
PRIVMSG Sp3ccyF4n :The code is: "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/".
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Thanks... But I don't think it's relevant. You wont convince me! CPU-power is EVERYTHING. My Z80 is kicking your lazy 6502!!!
PRIVMSG #RetroForum :Whatever... All I have to say is SID6581, nuff said!
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Like you said... Whatever...
KICK #RetroForum Sp3ccyF4n
:SID-v1si0uS!user@192.168.122.156 KICK #RetroForum Sp3ccyF4n :SID-v1si0uS

A password protected file is shared via FTP. The "encrypted" password is OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/.

Downloading of file via FTP

tcp.stream eq 9

220 (vsFTPd 3.0.3)
USER sidden
331 Please specify the password.
PASS k3b4bt411rik
230 Login successful.
(...)
STOR demo.tar.xz
150 Ok to send data.
226 Transfer complete.
(...)

The file demo.tar.xz is downloaded from the FTP server. We want that file. Filter by protocol FTP-DATA -> Follow TCP Stream -> Save data as Raw.

Step 2

Decompress the file demo.tar.xz:

$ tar xfv demo.tar.xz
x demo.zip 

$ unzip demo.zip
Archive:  demo.zip
[demo.zip] cert-se ctf2020.tap password: 
password incorrect--reenter:
   skipping: cert-se ctf2020.tap     incorrect password

The "encryption" of the password is base64:

$ echo -n "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/" | base64 -d
8-bit-C0mput3er-w0nd3r!?

% unzip -P '8-bit-C0mput3er-w0nd3r!?' demo.zip
Archive:  demo.zip
  inflating: cert-se ctf2020.tap

Step 3

The file cert-se ctf2020.tap file and the chat about C64? Let's fire up a Comodore 64 emulator and load the file as a tape! VICE is free, open source and works on most platforms.

Attatch and autoload the tap file.

Step 4

VICE running cert-se ctf2020.tap

This reveals a demo with the text <HTTP 418>in the center and a scrolling text informing us that this is the final step: What does it mean?

The HTTP status code 418 is defined in the Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0) (described in RFC2324, a protocol for controlling, monitoring, and diagnosing coffee pots).

Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.