Labs / Packet Pursuit
- Daily Challenge
- Released 19 Jun 2025
The lab needs to be started first.
Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
Need help to start?
Daily Challenge
Solution Steps
- Download the PCAP file from the challenge page.
- Open the file in Wireshark and begin your analysis:
- First, look for DNS queries containing 'flag_' in the subdomain
- Then, look for ICMP packets containing 'FLAG_PART:' in the payload
- Finally, look for HTTP requests containing 'FLAG:' in the headers
- To find the flag in DNS queries:
- In Wireshark, use the filter:
dns and dns.qry.name contains "flag_" - Look at the 'Query' field in each DNS packet
- The flag parts are in the subdomains after 'flag_'
- For example, if you see 'flag_123.abc.lab.hdna.me', '123' is part of the flag
- In Wireshark, use the filter:
- To find the flag in ICMP packets:
- In Wireshark, use the filter:
icmp - Look for packets with 'FLAG_PART:' in the data
- The flag parts are after 'FLAG_PART:'
- For example, if you see 'FLAG_PART: 456', '456' is part of the flag
- In Wireshark, use the filter:
- To find the flag in HTTP traffic:
- In Wireshark, use the filter:
http - Look for HTTP requests with 'FLAG:' in the headers
- The flag parts are after 'FLAG:'
- For example, if you see 'FLAG: 789', '789' is part of the flag
- In Wireshark, use the filter:
- Combine all the flag parts in order to form the complete UUID flag.
- Submit the complete flag on the challenge page.
Example
If you find these parts:
- DNS: flag_123.abc.lab.hdna.me
- ICMP: FLAG_PART: 456
- HTTP: FLAG: 789
And they appear in that order in the traffic, the flag would be: 123456789
Key Points
- The flag is a UUID split into parts
- Each part is hidden in a different protocol
- Look for the specific markers: 'flag_', 'FLAG_PART:', and 'FLAG:'
- The parts appear in the correct order in the traffic