The SUM of All FEARS

Challenge:

After hacking a victim's computer, Luciafer downloaded several files, including two binaries with identical names, but with the extensions .exe and .bin (a Windows binary and a Linux binary, respectively).

What are the MD5 hashes of the two tool programs? Submit both hashes as the flag, separated by a |: flag{ExeMD5|BinMD5}

Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.

Solution:

Using the Zeek output from the previous challenge, along with the challenge clue regarding .exe and .bin file extensions, we searched the Zeek file and ftp log for matching events.

First we pull the uri and resp_fuids fields from the http events and search for either of the file extensions:

$ cat http.log | zeek-cut uri resp_fuids | grep -E "bin|exe"

/secret_decoder.bin	FpKjLR1yS7Jlxq9tYg

And then the arg and fuid fields from the ftp events:

$ cat ftp.log | zeek-cut arg fuid | grep -E "bin|exe"

ftp://192.168.100.103/TOOLS/lytton-crypt.bin	FpoQ6a4TUqadrC9bN7
ftp://192.168.100.103/TOOLS/lytton-crypt.exe	Fz7p9y1wz0VPi1HGud
ftp://192.168.100.103/TOOLS/secret_decoder.bin	Fua3pa22zzkomPTCF8

The challenge stated that the filenames were the same, so the correct program is lytton-crypt. Now we can use the file id to extract the MD5s from Zeek's file log:

$ cat files.log | zeek-cut fuid md5 | grep -E "Fz7p9y1wz0VPi1HGud|FpoQ6a4TUqadrC9bN7"

FpoQ6a4TUqadrC9bN7	4da8e81ee5b08777871e347a6b296953
Fz7p9y1wz0VPi1HGud	9cb9b11484369b95ce35904c691a5b28

The accepted flag was, flag{9cb9b11484369b95ce35904c691a5b28|4da8e81ee5b08777871e347a6b296953}