Tags: pcap 


# ▼▼▼Missed Registration (Forensics:150)(143/1444 team=9.9%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

It's registration day! These forms just seem longer and longer...
UPDATE 10:44 Eastern: New pcap that should be a bit easier to work with.
UPDATE 2:58 Eastern: We're regenerating due to flag leaks, submissions disabled until then. Please be patient.
Update 3:31 Eastern: Updated pcap with new flag after leak. Please re-run your solutions on the file!
・cap.pcap file is given.

### 【Analytics】

・A lot of HTTP protocol are transmitted.

・it seems to be a **BMP file** because **the value of the x parameter** of the first request begins with **42 4d**.

### 【exploit】

Extract & combine the value of x parameter

`$ strings cap.pcap | grep "x=" |sed 's/.*x=\([a-f0-9]*\).*/\1/' > test.txt`

`$ xxd -r -p test.txt test.bmp`