For this challenge you’re provided a PCAP that has 30 HTTP GET Requests to www.dopefish.com. Inside each request is the same URL to the below image and a base64, reversed, string that decodes to “Not everything is as it seems…”.

Looking at the actual GET requests, the URL structure is interesting as there are a few sections in the URL that remain static between the URLs so we’ll go ahead and extract them all for further analysis.

Using the below command extracts each URL.

tcpdump -r dopefish_labyrinth.pcap -A |grep "GET /" |grep -o "/.*" |sort –u

The general breakdown of the URL is as follows:

/M[a-zA-Z]{3}.php?=owVXdTMzc[a-zA-Z0-9]{109}&L4bry1nth_[0-9]{3,5}?NxM[a-zA-Z0-9]{134}-[0-9]{4,5}%26%71%77port%3D27500

Dropping the URL into an online URL parser shows that the query string being supplied to the file is the entire string after the initial “?”, which seems odd since there appears to be other variables in the URL.

Further analysis shows that the URL is not correctly formatted as “?” and “=” are reserved characters. When they are placed next to each other, without variables in-between, the rest of the URL becomes invalid.

Looking at the query string starting with “=” and the above hint with a reverse base64 string beginning with the same symbol, I try to base64 decode the reversed string…which works, but the output is of no use.

After taking a closer look at the URLs, I noticed there are definite patterns that stand out in the characters, but “NxM” continues to repeat itself roughly every 18 characters. More importantly, the NxM pattern that is seen in the first long string and the long string directly following the “&L4bry1nth_[0-9]{3,5}?” section of the URL. By removing this and putting the two long strings together, reversing it, and base64 decoding it, we get much more usable results.


Continuing to build on our previous line, we wrap it in a for loop and parse out only the two halves, reverse them, and print the result.

for i in $(tcpdump -r dopefish_labyrinth.pcap -A |grep "GET /" |grep
-o "/.*" |sort -u |cut -d"=" -f2 |cut -d"-" -f1 |sed -e
's/&L4bry1nth_.*?//g'); do echo "=$i" |rev |base64 -D ; done

There is a very apparent pattern in the output. The last step we take is to add one more command to our line and strip out the “317”, which turns out was the “NxM” from the URL.

for i in $(tcpdump -r dopefish_labyrinth.pcap -A |grep "GET /" |grep
-o "/.*" |sort -u |cut -d"=" -f2 |cut -d"-" -f1 |sed -e
's/&L4bry1nth_.*?//g'); do echo "=$i" |rev |base64 -D ; done |sed -e
's/317//g'

The key is PAN{th3D0p3fshl1v3s}.