Writeups
Networking
Baby Shark

Baby Shark

🔍 Details

AttributeDetails
Challenge NameBaby Shark
CategoryNetworking
Difficulty🔴 Hard
FlagF4H{88kJr12Fmh**********}

📝 Description

The BabyShark Intelligence Agency has intercepted a flood of network traffic, but something smells fishy.

Among the chaotic waves of HTTP requests and scattered DNS queries, a hidden message lurks beneath the surface.

Somewhere in the deep, a predator moves silently, sending fragments of a real message to an unusual destination.

Can you navigate through the noise, dodge the distractions, and track down the real flag hidden in the depths?


📥 Download dodoodo.pcapng

🧩 Hints

  1. I am sorry, but there are just so many requests to /flag endpoint, every with different flag, you need to continue searching
  2. Not all meaningful signals leave the local network. Sometimes, the most important conversations happen entirely at home—with both the sender and receiver staying local.

💡 Solution

This challenge is designed to mislead participants by flooding the packet capture with fake HTTP requests and DNS queries.

  1. Start by opening the provided .pcapng file in Wireshark.
  2. You will notice a high number of HTTP requests to the /flag endpoint. These requests each appear to contain a different flag. However, these are decoys meant to confuse and distract.
💡

This is a deliberate misdirection. The actual flag is not transmitted over HTTP.

  1. Move your focus to DNS traffic. At first glance, there are many DNS queries to external resolvers like 8.8.8.8, all following a similar pattern: [random_subdomain].babysharkdoododoo.com

  2. These are also decoys. The real clue lies in a set of internal DNS requests, where both the source and destination IPs are 192.168.1.33.

    Apply the following Wireshark filter:

ip.src == 192.168.1.33 && ip.dst == 192.168.1.33
  1. These internal DNS requests contain meaningful fragments. The queried domains include:
g4a0py.babysharkdoododoo.com
MTJGbW.babysharkdoododoo.com
hlWUZm.babysharkdoododoo.com
Zkt6Nl.babysharkdoododoo.com
c3fQ==.babysharkdoododoo.com
Dns

  1. Concatenate the subdomains before .babysharkdoododoo.com: RjRIezg4a0pyMTJGbWhlWUZmZkt6Nlc3fQ==

  2. Decode the string using a Base64 decoder to get the flag.

📚 Insights

This challenge emphasizes the importance of critical thinking in network forensics, especially when dealing with large or noisy packet captures.

  • Not all visible traffic is meaningful. The use of decoy HTTP /flag requests and randomized DNS queries is intended to mislead and overload the analyst with irrelevant information.
  • Filtering by IP address, protocol type, and source/destination combinations is essential for reducing noise and isolating suspicious behavior.
  • Recognizing when something is intentionally misleading and shifting analysis accordingly is a key part of successful CTF and incident response work.

🤔 Comments

The Programmer`s MistakeThe Hidden Post