# Data Siege {% file src="/files/pNgtRDDxqDwRKjVwkA8R" %} ### Challenge Description : ``` "It was a tranquil night in the Phreaks headquarters, when the entire district erupted in chaos. Unknown assailants, rumored to be a rogue foreign faction, have infiltrated the city's messaging system and critical infrastructure. Garbled transmissions crackle through the airwaves, spewing misinformation and disrupting communication channels. We need to understand which data has been obtained from this attack to reclaim control of the and communication backbone. Note: flag is splitted in three parts." ``` opening the pcap using wireshark and then clicking on statistics -> protocol hierarchy we can see http protocol and tcp data so let's filter by this for now

now on the first packet right click follow tcp stream and we can see a bunch of base64 strings and finally base64 encoded powrshell code

### Third Part of The Flag : let's decode it using cyberchef

let's filter by http protocol now

we have two endpoints, the first endpoint invokes powershell command to hit the endpoint `/aQ4caZ.exe` in the remote server

and the endpoint `/aQ4caZ.exe` is downloading the binary since we can see `MZ` which is the magic bytes of an executable

let's export this executable. go to **File -> Export Objects -> HTTP**

viewing the executable using `detect it easy` program we can see that it's `32 bit .Net executable` so let's reverse it using `dnSpy` looking at the functions we can see 2 interesting functions which are `encrypt` and `decrypt`

since we have a pcap file and malware that encrypts that means that we have encrypted traffic that we have to decrypt and this traffic is what we have saw previously on tcp data

analyzing the `Decrypt` function we can see that the `encryptKey` used is a constant that means that the encryption key is hard coded so we can recover it

double click on the `EncryptKey` we get this

double clicking on `_encryptKey` we get the value

#### Encryption Key : ``` VYAemVeO3zUDTL6N62kVA ``` now let's use the decrypt c# function and the encryption key to decrypt the encrypted traffic ```csharp using System; using System.IO; using System.Security.Cryptography; using System.Text; class Program { static void Main(string[] args) { // Example ciphertext string ciphertext = ""; // Call Decrypt function with the ciphertext variable string decryptedText = Decrypt(ciphertext); // Print the decrypted text Console.WriteLine("Decrypted Text: " + decryptedText); } // Your Decrypt function public static string Decrypt(string cipherText) { string text; try { string encryptKey = Constantes.EncryptKey; byte[] array = Convert.FromBase64String(cipherText); using (Aes aes = Aes.Create()) { Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(encryptKey, new byte[] { 86, 101, 114, 121, 95, 83, 51, 99, 114, 51, 116, 95, 83 }); aes.Key = rfc2898DeriveBytes.GetBytes(32); aes.IV = rfc2898DeriveBytes.GetBytes(16); using (MemoryStream memoryStream = new MemoryStream()) { using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Write)) { cryptoStream.Write(array, 0, array.Length); cryptoStream.Close(); } cipherText = Encoding.Default.GetString(memoryStream.ToArray()); } } text = cipherText; } catch (Exception ex) { Console.WriteLine(ex.Message); Console.WriteLine("Cipher Text: " + cipherText); text = "error"; } return text; } } // You may need to define the Constantes class with the EncryptKey field if it's not defined elsewhere public static class Constantes { public const string EncryptKey = "VYAemVeO3zUDTL6N62kVA"; } ``` you can use any online c# compiler ### First Part of The Flag : decrypting this base64 part yeilds the third part of the flag ``` ZKlcDuS6syl4/w1JGgzkYxeaGTSooLkoI62mUeJh4hZgRRytOHq8obQ7o133pBW7BilbKoUuKeTvXi/2fmd4v+gOO/E6A0DGMWiW2+XZ+lkDa97VsbxXAwm0zhunRyBXHuo8TFbQ3wFkFtA3SBFDe+LRYQFB/Kzk/HX/EomfOj2aDYRGYBCHiGS70BiIC/gyNOW6m0xTu1oZx90SCoFel95v+vi8I8rQ1N6Dy/GPMuhcSWAJ8M9Q2N7fVEz92HWYoi8K5Zvge/7REg/5GKT4pu7KnnFCKNrTp9AqUoPuHm0cWy9J6ZxqwuOXTR8LzbwbmXohANtTGso6Dqbih7aai57uVAktF3/uK5nN7EgMSC0ZsUclzPZjm0r4ITE2HtBrRXJ78cUfIbxd+dIDBGts7IuDfjr0qyXuuzw+5o8pvKkTemvTcNXzNQbSWj+5tTxxly0Kgxi5MVT0ecyJfNfdZG0slqYHKaqJCZm6ShfvGRFsglKmenBB274sBdkVqIRtodB8dD1AM1ZQQX1MBMGDeCwFqc+ahch0x375U6Ekmvf2fzCZ/IaHOHBc8p5se1oNMRbIqcJaundh5cuYL/h8p/NPVTK9veu3Qihy310wkjg= ```

### Second Part of The Flag : decrypting this base64 part yeilds the second part of the flag ``` zVmhuROwQw02oztmJNCvd2v8wXTNUWmU3zkKDpUBqUON+hKOocQYLG0pOhERLdHDS+yw3KU6RD9Y4LDBjgKeQnjml4XQMYhl6AFyjBOJpA4UEo2fALsqvbU4Doyb/gtg ```

### Flag : ``` HTB{c0mmun1c4710n5_h45_b33n_r3570r3d_1n_7h3_h34dqu4r73r5} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/ctf/cyber-apocalypse-2024-hacker-royale/forensics/data-siege.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.