Wireshark twoo twooo two twoo...
Can you find the flag? shark2.pcapng.
- 1.Upon initial inspection, there seem to be a lot of requests to a
/flagendpoint. Each request shows a different flag so these must be a distraction.
- 2.After searching through the file I noticed many DNS requests for various subdomains of
reddshrimpandherring.com. This looks like the suspicious traffic that one of the challenge hints refers to.
- 3.A lot of the DNS queries have a destination of 22.214.171.124. However, a subset have a destination for 126.96.36.199.
- 4.We can apply the filter
dns and ip.dst==188.8.131.52to only see DNS requests to this IP address. If we take the subdomains of
reddshrimpandherring.comand append them in order we get:
- 5.Decoding the above string as base64 gives us the flag.
- 6.Alternatively, this file can be analyzed using apackets.com. Just upload the file, go to the DNS page, and scroll down to see the requests neatly organized.