Labs / Packet Pursuit
- Challenge
- Released 19 Jun 2025
Packet Pursuit
Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!
1
Flags
1
Points
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge
Solution Steps
- Download the PCAP file from the challenge page.
- Open the file in Wireshark and begin your analysis:
- First, look for DNS queries containing 'flag_' in the subdomain
- Then, look for ICMP packets containing 'FLAG_PART:' in the payload
- Finally, look for HTTP requests containing 'FLAG:' in the headers
- To find the flag in DNS queries:
- In Wireshark, use the filter:
dns and dns.qry.name contains "flag_" - Look at the 'Query' field in each DNS packet
- The flag parts are in the subdomains after 'flag_'
- For example, if you see 'flag_123.abc.lab.hdna.me', '123' is part of the flag
- In Wireshark, use the filter:
- To find the flag in ICMP packets:
- In Wireshark, use the filter:
icmp - Look for packets with 'FLAG_PART:' in the data
- The flag parts are after 'FLAG_PART:'
- For example, if you see 'FLAG_PART: 456', '456' is part of the flag
- In Wireshark, use the filter:
- To find the flag in HTTP traffic:
- In Wireshark, use the filter:
http - Look for HTTP requests with 'FLAG:' in the headers
- The flag parts are after 'FLAG:'
- For example, if you see 'FLAG: 789', '789' is part of the flag
- In Wireshark, use the filter:
- Combine all the flag parts in order to form the complete UUID flag.
- Submit the complete flag on the challenge page.
Example
If you find these parts:
- DNS: flag_123.abc.lab.hdna.me
- ICMP: FLAG_PART: 456
- HTTP: FLAG: 789
And they appear in that order in the traffic, the flag would be: 123456789
Key Points
- The flag is a UUID split into parts
- Each part is hidden in a different protocol
- Look for the specific markers: 'flag_', 'FLAG_PART:', and 'FLAG:'
- The parts appear in the correct order in the traffic