Skip to content

A CAPture of a Flag

  1. Given is a network capture file whose contents can be read using tcpdump or tshark:

    bash tshark -r flag\ \(4\)

    bash tcpdump -r flag\ \(4\)

  2. Observing the output, we encounter a GET request:

    • tshark output: 247 2.270670 10.50.203.75 → 185.21.216.190 HTTP 504 GET /?msg=ZmxhZ3tBRmxhZ0luUENBUH0= HTTP/1.1
    • tcpdump output: 19:33:25.963056 IP 10.50.203.75.23253 > thisis.feralhosting.com.http: Flags [P.], seq 1:451, ack 1, win 64, length 450: HTTP: GET /?msg=ZmxhZ3tBRmxhZ0luUENBUH0= HTTP/1.1

  3. Decode the msg: echo "<msg>" | base64 -d