Wireshark twoo twooo two twoo...
Last updated
Was this helpful?
Last updated
Was this helpful?
Can you find the flag? shark2.pcapng.
Upon initial inspection, there seem to be a lot of requests to a /flag
endpoint. Each request shows a different flag so these must be a distraction.
After searching through the file I noticed many DNS requests for various subdomains of reddshrimpandherring.com
. This looks like the suspicious traffic that one of the challenge hints refers to.
A lot of the DNS queries have a destination of 8.8.8.8. However, a subset have a destination for 18.217.1.57.
We can apply the filter dns and ip.dst==18.217.1.57
to only see DNS requests to this IP address. If we take the subdomains of reddshrimpandherring.com
and append them in order we get: cGljb0NURntkbnNfM3hmMWxfZnR3X2RlYWRiZWVmfQ==
Decoding the above string as base64 gives us the flag.
Alternatively, this file can be analyzed using . Just upload the file, go to the DNS page, and scroll down to see the requests neatly organized.
picoCTF{dns_3xf1l_ftw_deadbeef}