Hackathon 24 Prequalifiers: Forensics Challenge “hacked” First blood Team deathstrik3

We are provided with a network capture. I start by looking at statistics to see the endpoints with most network packets. Compromised machines tend to have larger network volume and they stand out from the rest hosts in the network.

Go to statistics -> Endpoints-> IPv4 and sort out the ips with most packets.

We spot this internal IP address. Now filter the traffic for this IP

address with following filter.

ip.addr==192.168.100.137

Now lets see any files involved in the network stream related to this suspicious IP Address.

Go to File->Export Objects->HTTP

Here we spot lots of traffic for an odd looking domain dream.cc where cc may stand for Command&Control.

From the looks of it, 1 file stands out and it has lots of instances and is trying to remain stealthy by adding “gif” in the end.

Now we craft the following filter which will leave us with only the relevant

traffic

ip.addr==192.168.100.137 && http.request.method==POST

Now we will look at the payload in packet details of these streams.

Here we understand that the file takes a base64 encoded payload which is passed to base64_decode function and then eval function for remote code execution.

The flag is split into two parts. To find first part go to packet number 1693 and copy the value of “value” variable.

This is hex from the looks of it. All the rest of obfuscation is base64, only this is hex. Copy the hex value and decode in cyberchef.

From the file header, we can see its png file. Simply click download open the png.

Moving on to the next part, take a look at packet number 1718

Decode the value of “value” variable and you will get command line data

This pattern matches to that of the first flag. This way we have the final flag which is

flag{7b57b8c1–88d4–5267–9907–2581d7fbc3ad}