Data Siege

50KB

capture.pcap

Open

Challenge Description :

"It was a tranquil night in the Phreaks headquarters, when the entire district erupted in chaos. Unknown assailants, rumored to be a rogue foreign faction, have infiltrated the city's messaging system and critical infrastructure. Garbled transmissions crackle through the airwaves, spewing misinformation and disrupting communication channels. We need to understand which data has been obtained from this attack to reclaim control of the and communication backbone. Note: flag is splitted in three parts."

opening the pcap using wireshark and then clicking on statistics -> protocol hierarchy we can see http protocol and tcp data so let's filter by this for now

now on the first packet right click follow tcp stream and we can see a bunch of base64 strings and finally base64 encoded powrshell code

Third Part of The Flag :

let's decode it using cyberchef

let's filter by http protocol now

we have two endpoints, the first endpoint invokes powershell command to hit the endpoint /aQ4caZ.exe in the remote server

and the endpoint /aQ4caZ.exe is downloading the binary since we can see MZ which is the magic bytes of an executable

let's export this executable. go to File -> Export Objects -> HTTP

viewing the executable using detect it easy program we can see that it's 32 bit .Net executable so let's reverse it using dnSpy

looking at the functions we can see 2 interesting functions which are encrypt and decrypt

since we have a pcap file and malware that encrypts that means that we have encrypted traffic that we have to decrypt and this traffic is what we have saw previously on tcp data

analyzing the Decrypt function we can see that the encryptKey used is a constant that means that the encryption key is hard coded so we can recover it

double click on the EncryptKey we get this

double clicking on _encryptKey we get the value

Encryption Key :

VYAemVeO3zUDTL6N62kVA

now let's use the decrypt c# function and the encryption key to decrypt the encrypted traffic

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

class Program
{
    static void Main(string[] args)
    {
        // Example ciphertext
        string ciphertext = "";

        // Call Decrypt function with the ciphertext variable
        string decryptedText = Decrypt(ciphertext);

        // Print the decrypted text
        Console.WriteLine("Decrypted Text: " + decryptedText);
    }

    // Your Decrypt function
    public static string Decrypt(string cipherText)
    {
        string text;
        try
        {
            string encryptKey = Constantes.EncryptKey;
            byte[] array = Convert.FromBase64String(cipherText);
            using (Aes aes = Aes.Create())
            {
                Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(encryptKey, new byte[]
                {
                    86, 101, 114, 121, 95, 83, 51, 99, 114, 51, 116, 95, 83
                });
                aes.Key = rfc2898DeriveBytes.GetBytes(32);
                aes.IV = rfc2898DeriveBytes.GetBytes(16);
                using (MemoryStream memoryStream = new MemoryStream())
                {
                    using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Write))
                    {
                        cryptoStream.Write(array, 0, array.Length);
                        cryptoStream.Close();
                    }
                    cipherText = Encoding.Default.GetString(memoryStream.ToArray());
                }
            }
            text = cipherText;
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
            Console.WriteLine("Cipher Text: " + cipherText);
            text = "error";
        }
        return text;
    }
}

// You may need to define the Constantes class with the EncryptKey field if it's not defined elsewhere
public static class Constantes
{
    public const string EncryptKey = "VYAemVeO3zUDTL6N62kVA";
}

you can use any online c# compiler

First Part of The Flag :

decrypting this base64 part yeilds the third part of the flag

ZKlcDuS6syl4/w1JGgzkYxeaGTSooLkoI62mUeJh4hZgRRytOHq8obQ7o133pBW7BilbKoUuKeTvXi/2fmd4v+gOO/E6A0DGMWiW2+XZ+lkDa97VsbxXAwm0zhunRyBXHuo8TFbQ3wFkFtA3SBFDe+LRYQFB/Kzk/HX/EomfOj2aDYRGYBCHiGS70BiIC/gyNOW6m0xTu1oZx90SCoFel95v+vi8I8rQ1N6Dy/GPMuhcSWAJ8M9Q2N7fVEz92HWYoi8K5Zvge/7REg/5GKT4pu7KnnFCKNrTp9AqUoPuHm0cWy9J6ZxqwuOXTR8LzbwbmXohANtTGso6Dqbih7aai57uVAktF3/uK5nN7EgMSC0ZsUclzPZjm0r4ITE2HtBrRXJ78cUfIbxd+dIDBGts7IuDfjr0qyXuuzw+5o8pvKkTemvTcNXzNQbSWj+5tTxxly0Kgxi5MVT0ecyJfNfdZG0slqYHKaqJCZm6ShfvGRFsglKmenBB274sBdkVqIRtodB8dD1AM1ZQQX1MBMGDeCwFqc+ahch0x375U6Ekmvf2fzCZ/IaHOHBc8p5se1oNMRbIqcJaundh5cuYL/h8p/NPVTK9veu3Qihy310wkjg=

Second Part of The Flag :

decrypting this base64 part yeilds the second part of the flag

zVmhuROwQw02oztmJNCvd2v8wXTNUWmU3zkKDpUBqUON+hKOocQYLG0pOhERLdHDS+yw3KU6RD9Y4LDBjgKeQnjml4XQMYhl6AFyjBOJpA4UEo2fALsqvbU4Doyb/gtg

Flag :

HTB{c0mmun1c4710n5_h45_b33n_r3570r3d_1n_7h3_h34dqu4r73r5}