An Evil Christmas Carol

Challenge:

A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?

Solution:

With all CTF challenges involving a PCAP I utilize Zeek for initial analysis in combination with a custom CTF-focused Zeek script.

$ zeek -Cr HolyNight.pcap ~/Tools/ctf_pcaps.zeek

The challenge description specifically mentions that a DLL was downloaded, so I search pe.log for the session. Zeek writes details to the pe.log when a Portable Executable (PE) file is observed in a session.

$ cat pe.log 

1595634497.105721	FO4rkk3q9be4Pvn7Qe	I386	1247624866.000000	Windows 2000	WINDOWS_GUI	T	F	F	F	F	T	T	F	F	T	.text,.rdata,.data,.rsrc,.reloc

Zeek identified a single PE in the PCAP which can be tied to a session by pivoting to the files.log with the file ID, FO4rkk3q9be4Pvn7Qe:

1595634497.105048	FO4rkk3q9be4Pvn7Qe	205.185.125.104	10.0.0.163	CgBbOS1bynReDa7NL	HTTP	0	PE	application/x-dosexec	-	0.853335	-	F	404480404480	0	0	F	-	-	-	-	-	-	-

The DLL was downloaded from 205.185.125.104, resulting in a complete flag of, flag{205.185.125.104}