Wpictf 2021

Suspicious traffic

Solved by : thewhiteh4t

• we are given a pcapng file with some HTTP traffic
• some of the requests have extra characters in data field
• they can be listed using tshark easily

    tshark -r capture.pcapng -T fields -e http.file_data | grep "\S" | grep -v "html" | cut -d "\\" -f 1 | tr -d "\n"

WPI{su3p1ci0uS_htTp}