Section 7.1 (Sniffing and attack example) outdated #65
Description
In the Sniffing and attack example, the user is instructed to initialize a packet capture in Wireshark, visit http://primer.picoctf.org/vuln/web/sign_in.php, and filter for http; this returns nil results because TCP protocol is used.
On Chrome v142, clicking the link initiates the following request:
curl 'http://primer.picoctf.org/vuln/web/sign_in.php' \
-H 'DNT: 1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: [REDACTED] Chrome/142.0.0.0 Safari/537.36' \
--insecureThis receives HTTP 307 response, and the user is redirected to https://...
Also, the screenshot in this section displays a different URL.
I am new at Wireshark, so not really sure how to set up a filter that will definitively return the same packets, but at the time of this writing, I used tcp && ip.addr == 3.20.60.32 because
$ dig primer.picoctf.org A
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> primer.picoctf.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51146
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;primer.picoctf.org. IN A
;; ANSWER SECTION:
primer.picoctf.org. 136 IN A 3.20.60.32
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Oct 30 05:06:13 EDT 2025
;; MSG SIZE rcvd: 63The form submission is encrypted using TLSv1.3, so no credentials are shown in plaintext in any of the captures.