Luciafer might have just bit off more than she can chew! She has encountered an adversary that is counter-attacking her system!
Luciafer's Lytton Labs adversary executed a command to attain persistence on her computer. This command will allow the adversary to regain a connection to her computer again later, even if she reboots it.
What is the packet number where this command is executed. For example:
Use the PCAP file from Monstrum ex Machina.
We sort of stumbled upon this solution while completing the A Warning challenge. When searching the PCAP for the string "you have been warned" the first result is for packet #160789. When following that TCP stream (#73228) we observed the command
whoami being executed. From there we simply decremented the stream# and reviewed the activity in each stream. In stream #73225 we identified a
cron job being created:
sudo /bin/bash -c "echo '*/5 * * * * root /usr/bin/ll-connect.bin' > /etc/cron.d/da-ll-backup-job"
It was then a simple task of identifying the specific packet in the stream by changing the search term to "cron".
The accepted flag was,