HTTP Traffic Forensics: Red Flag

HTTP Traffic Forensic Analysis

In this lab, you will receive network evidence captured in a .pcap file. This file contains an HTTP transaction between a client and a local server, and it is suspected that a flag is hidden within that communication.

In this lab you will learn:

• HTTP traffic analysis in .pcap files
• Using Wireshark for forensic inspection
• Searching and extracting data in application protocols

🌱 How to start this lab

👉 This challenge is solved inside a preconfigured virtual machine with Wireshark and a graphical environment. No additional software installation or traffic simulation is required: you will analyze a pre-captured .pcap file directly.

1. If you don't have the virtual machine yet, download it from this link:

1https://storage.googleapis.com/cybersecurity-machines/redflag-lab.ova

1. Import the virtual machine into VirtualBox.
2. Start the VM and log in as user student:4geeks-lab.

📄 Instructions

An internal system made an HTTP request to a local server, which responded with unexpected content. The transmission was intercepted by a network sensor and is now in your hands: a .pcap file with the complete conversation. Your job as an analyst is clear: Examine the HTTP conversation for data that shouldn't be there.

It is rumored that the server delivered a suspicious string — there are no unusual headers, no obvious errors... just a simple response. But remember: simple things sometimes hide more than they show.

Tip: pay special attention to the response body. Sometimes messages are not in plain text, but masked with basic techniques like encoding. If you see a long, meaningless string... maybe it's not as random as it seems.

Your mission

1. Open the redflag.pcap file in Wireshark. The redflag.pcap file is located on the desktop.
2. Apply filters to focus on HTTP requests, for example:

tcp.port == 8080

1. Browse the packets and locate the server's HTTP responses. You must review them all.
2. In the "Hypertext Transfer Protocol" section, identify a string that does not appear as readable text.
3. Copy that string and decode it.
4. If, upon decoding, the result has this format: 4GEEKS{EXAMPLE_FLAG}, then you have found the flag.

Good luck, Forensic Analyst!