"It was a tranquil night in the Phreaks headquarters, when the entire district erupted in chaos. Unknown assailants, rumored to be a rogue foreign faction, have infiltrated the city's messaging system and critical infrastructure. Garbled transmissions crackle through the airwaves, spewing misinformation and disrupting communication channels. We need to understand which data has been obtained from this attack to reclaim control of the and communication backbone. Note: flag is splitted in three parts."
opening the pcap using wireshark and then clicking on statistics -> protocol hierarchy we can see http protocol and tcp data so let's filter by this for now
now on the first packet right click follow tcp stream and we can see a bunch of base64 strings and finally base64 encoded powrshell code
Third Part of The Flag :
let's decode it using cyberchef
let's filter by http protocol now
we have two endpoints, the first endpoint invokes powershell command to hit the endpoint /aQ4caZ.exe in the remote server
and the endpoint /aQ4caZ.exe is downloading the binary since we can see MZ which is the magic bytes of an executable
let's export this executable. go to File -> Export Objects -> HTTP
viewing the executable using detect it easy program we can see that it's 32 bit .Net executable so let's reverse it using dnSpy
looking at the functions we can see 2 interesting functions which are encrypt and decrypt
since we have a pcap file and malware that encrypts that means that we have encrypted traffic that we have to decrypt and this traffic is what we have saw previously on tcp data
analyzing the Decrypt function we can see that the encryptKey used is a constant that means that the encryption key is hard coded so we can recover it
double click on the EncryptKey we get this
double clicking on _encryptKey we get the value
Encryption Key :
VYAemVeO3zUDTL6N62kVA
now let's use the decrypt c# function and the encryption key to decrypt the encrypted traffic
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
class Program
{
static void Main(string[] args)
{
// Example ciphertext
string ciphertext = "";
// Call Decrypt function with the ciphertext variable
string decryptedText = Decrypt(ciphertext);
// Print the decrypted text
Console.WriteLine("Decrypted Text: " + decryptedText);
}
// Your Decrypt function
public static string Decrypt(string cipherText)
{
string text;
try
{
string encryptKey = Constantes.EncryptKey;
byte[] array = Convert.FromBase64String(cipherText);
using (Aes aes = Aes.Create())
{
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(encryptKey, new byte[]
{
86, 101, 114, 121, 95, 83, 51, 99, 114, 51, 116, 95, 83
});
aes.Key = rfc2898DeriveBytes.GetBytes(32);
aes.IV = rfc2898DeriveBytes.GetBytes(16);
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Write))
{
cryptoStream.Write(array, 0, array.Length);
cryptoStream.Close();
}
cipherText = Encoding.Default.GetString(memoryStream.ToArray());
}
}
text = cipherText;
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
Console.WriteLine("Cipher Text: " + cipherText);
text = "error";
}
return text;
}
}
// You may need to define the Constantes class with the EncryptKey field if it's not defined elsewhere
public static class Constantes
{
public const string EncryptKey = "VYAemVeO3zUDTL6N62kVA";
}
you can use any online c# compiler
First Part of The Flag :
decrypting this base64 part yeilds the third part of the flag
