# Endpoint ## OVERVIEW --- ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759542880677/9be1061e-8830-4a22-8127-858a0d504321.png align="center") Let’s inspect the downloaded **Capture.pcap** file in wireshark ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759543008262/d55d1ec0-2948-4fdc-b68b-85cebbe29fc6.png align="center") Let’s follow any one request into TCP stream as it looks like some data is present there ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759543087033/52931781-64de-4b5f-9ed7-01af9d1cb0a7.png align="center") We can see a long list of strings like this: * **So There are two ways to solve this challenge :** * **Manually** * **Scripting** ## Manual Approach --- So First Save any request TCP Stream with Save as button ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759543355169/7a081f09-1aa7-43c5-b837-89615ee546f8.png align="center") Now I used Both Notepad And VS Code to remove the unnecessary part using Find & Replace functionality So Open Notepad and press **Ctrl + H** to open **Replace** functionality Now Select the unnecessary element and replace them all with space like shown below: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759543697025/62b6a43b-c180-4969-850f-84e5500e5e61.png align="center") So after replacing everything unnecessary and just leaving the strings you will get the final results like this: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759543866597/023c20a5-5c07-4ef8-9ca0-53a00e64ba25.png align="center") Now Copy all of them and go to this website [https://www.browserling.com/tools/remove-all-whitespace](https://www.browserling.com/tools/remove-all-whitespace) And Paste All Your Content In This And Click On Remove Spaces Button ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759543992933/e4da652d-18b1-4815-a90a-63156b65f21c.png align="center") Now, Press copy to clipboard to copy the output and Head to [**CyberChef**](https://gchq.github.io/CyberChef) ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759544131639/044edb90-ebfb-4f21-bb4d-d5304a61549d.png align="center") Either Press that magic wand or just add base64 decode recipe Now Scroll the Output Till You Get this ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759544259846/bebfc88c-2b46-4c57-b44c-4cb432140deb.png align="center") Copy The Last String from that link which is ```apache SFRCe2NodW5rNV80bmRfdWRmX2Ywcl9icjM0a2Y0NTd9 ``` Now Again Paste It Into CyberChef And Base64 decode it and you will get the flag ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759544391778/0d4aedc9-4c69-44ad-9a0a-30e857de2e56.png align="center") ## SCRIPTING / AUTOMATION --- So In scripting you have to automate all this manual work in a single script with python So Below is the script that will do all this work and give you the flag **NOTE : Be Sure To Put The Script And Capture.pcap File In Same Directory** ```apache #!/usr/bin/env python3 # pcap_to_flag.py import struct, socket, re, base64 PCAP = 'capture.pcap' OUT_COLLECTED = 'collected_vals.txt' with open(PCAP, 'rb') as f: data = f.read() # parse pcap global header (little-endian magic 0xa1b2c3d4) off = 0 if len(data) < 24: raise SystemExit("pcap too small") magic,ver_major,ver_minor,thiszone,sigfigs,snaplen,network = struct.unpack('> 4) * 4 payload = tcp[data_offset:] if not payload: continue # only capture flows where either src or dst port is 3306 if srcp == 3306 or dstp == 3306: key = (src, srcp, dst, dstp) streams.setdefault(key, bytearray()).extend(payload) # Normalize bidirectional flows by pairing tuples norm = {} for (s,sp,d,dp),payload in streams.items(): # canonicalize order k = tuple(sorted([(s,sp),(d,dp)])) norm.setdefault(k, bytearray()).extend(payload) # concatenate all normalized streams (or pick the biggest one) all_payload = b'' for k,p in norm.items(): all_payload += bytes(p) text = all_payload.decode('latin1', errors='ignore') # extract base64 fragments inside VALUES('...') in order parts = re.findall(r"VALUES\s*\(\s*'([A-Za-z0-9+/=_\-]{8,})'\s*\)", text, flags=re.IGNORECASE) with open(OUT_COLLECTED,'w') as f: for p in parts: f.write(p + '\n') print("Collected", len(parts), "fragments ->", OUT_COLLECTED) # decode fragments decoded = [] for p in parts: clean = re.sub(r'[^A-Za-z0-9+/=_\-]', '', p).replace('-', '+').replace('_','/') clean += '=' * ((4 - len(clean)%4) % 4) try: decoded.append(base64.b64decode(clean)) except: decoded.append(b'') big = b''.join(decoded) txt = big.decode('latin1', errors='ignore') # find and display curl and token m = re.search(r'packages/callback/([A-Za-z0-9\-_+=/]{8,300})', txt) if m: tok = m.group(1) print("Found token:", tok) t = tok.replace('-', '+').replace('_','/') t += '=' * ((4 - len(t)%4)%4) try: print("Decoded token:", base64.b64decode(t).decode('utf-8', errors='ignore')) except Exception as e: print("Failed to decode token:", e) # fallback: look for HTB{...} m2 = re.search(r'HTB\{.*?\}', txt, re.DOTALL) if m2: print("Found HTB flag:", m2.group(0)) ``` which will give you the flag ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759544707134/8a43fb26-6b0a-418d-a6ce-1ecb7f047712.png align="left") ## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759544791899/35057f9d-48db-44f1-b827-6f281123deac.png align="center") For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/) **THANKS FOR READING !!!**