Upon opening the .pcap file, the first thing I do is inspect the protocols used in the sample.

I knew that the flag came from a website, so I have a good idea as to where I should look first. I begin with the HTTP packets, and start to analyze them one at a time. Sure enough, I was able to find the first flag in text/html packet transmitted over HTTP.

However, there is a second flag that needs to be obtained from the file.

Because I found the first flag in a HTTP packet, I figured that I might as well continue to look through the text/html packets one by one. I’m able to sort these packets by protocol to narrow the search down.

By following the TCP stream, similar to the first packet, I was able to identify the second flag.

By narrowing down the scope of the packets by including overall context, I was able to find the flags and accurately present them back.

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *