A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?
With all CTF challenges involving a PCAP I utilize Zeek for initial analysis in combination with a custom CTF-focused Zeek script.
$ zeek -Cr HolyNight.pcap ~/Tools/ctf_pcaps.zeek
The challenge description specifically mentions that a DLL was downloaded, so I search pe.log for the session. Zeek writes details to the pe.log when a Portable Executable (PE) file is observed in a session.
$ cat pe.log 1595634497.105721 FO4rkk3q9be4Pvn7Qe I386 1247624866.000000 Windows 2000 WINDOWS_GUI T F F F F T T F F T .text,.rdata,.data,.rsrc,.reloc
Zeek identified a single PE in the PCAP which can be tied to a session by pivoting to the files.log with the file ID, FO4rkk3q9be4Pvn7Qe:
1595634497.105048 FO4rkk3q9be4Pvn7Qe 126.96.36.199 10.0.0.163 CgBbOS1bynReDa7NL HTTP 0 PE application/x-dosexec - 0.853335 - F 404480404480 0 0 F - - - - - - -
The DLL was downloaded from 188.8.131.52, resulting in a complete flag of,