After hacking a victim's computer, Luciafer downloaded several files, including two binaries with identical names, but with the extensions
.bin(a Windows binary and a Linux binary, respectively).
What are the MD5 hashes of the two tool programs? Submit both hashes as the flag, separated by a
Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.
Using the Zeek output from the previous challenge, along with the challenge clue regarding
.bin file extensions, we searched the Zeek file and ftp log for matching events.
First we pull the
resp_fuids fields from the http events and search for either of the file extensions:
$ cat http.log | zeek-cut uri resp_fuids | grep -E "bin|exe" /secret_decoder.bin FpKjLR1yS7Jlxq9tYg
And then the
fuid fields from the ftp events:
$ cat ftp.log | zeek-cut arg fuid | grep -E "bin|exe" ftp://192.168.100.103/TOOLS/lytton-crypt.bin FpoQ6a4TUqadrC9bN7 ftp://192.168.100.103/TOOLS/lytton-crypt.exe Fz7p9y1wz0VPi1HGud ftp://192.168.100.103/TOOLS/secret_decoder.bin Fua3pa22zzkomPTCF8
The challenge stated that the filenames were the same, so the correct program is lytton-crypt. Now we can use the file id to extract the MD5s from Zeek's file log:
$ cat files.log | zeek-cut fuid md5 | grep -E "Fz7p9y1wz0VPi1HGud|FpoQ6a4TUqadrC9bN7" FpoQ6a4TUqadrC9bN7 4da8e81ee5b08777871e347a6b296953 Fz7p9y1wz0VPi1HGud 9cb9b11484369b95ce35904c691a5b28
The accepted flag was,