-
Given is a network capture file whose contents can be read using
tcpdumportshark:tshark -r flag\ \(4\)
tcpdump -r flag\ \(4\)
-
Observing the output, we encounter a GET request:
- tshark output:
247 2.270670 10.50.203.75 → 185.21.216.190 HTTP 504 GET /?msg=ZmxhZ3tBRmxhZ0luUENBUH0= HTTP/1.1 - tcpdump output:
19:33:25.963056 IP 10.50.203.75.23253 > thisis.feralhosting.com.http: Flags [P.], seq 1:451, ack 1, win 64, length 450: HTTP: GET /?msg=ZmxhZ3tBRmxhZ0luUENBUH0= HTTP/1.1
- tshark output:
-
Decode the msg:
echo "<msg>" | base64 -d