Affinitty Lost Head Write Up

Well they gave us a .pcapng file, then what else to do open Wireshark .

Well we have DNS, TCP but of course we will look at our beloved HTTP packets first adding a quick http filter in wireshark.

And we already see some interesting packets

44	26.518465370	10.0.2.15	207.154.234.221	HTTP	383	GET /challenges.php HTTP/1.1
46	26.549133870	207.154.234.221	10.0.2.15	HTTP	295	HTTP/1.1 200 OK  (text/html) (text/html)
48	26.576451635	10.0.2.15	207.154.234.221	HTTP	301	GET /favicon.ico HTTP/1.1
50	26.606350349	207.154.234.221	10.0.2.15	HTTP	378	HTTP/1.1 404 Not Found  (text/html)

Well if you see this then we are solving a CTF, so common sense dictates that a call to challenges.php and a response to that request is always interesting.

'¥ÔRT5Em#@F5ÏêÝ
PÙ{Hðø¹ôPÿÿíHTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Mon, 02 Nov 2020 12:08:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.2.24
X-Affinity: AFFCTF{DonT_TRusT_h34d3R2}

0

That packet has the flag hidden in X-Affinity header.

EASY PEASY !!