An Evil Christmas Carol 2


What is the domain used by the post-infection traffic over HTTPS?

Use the file from An Evil Christmas Carol.


I had already analyzed the PCAP with Zeek in the previous challenge, An Evil Christmas Carol 1 so this was a simple task of reviewing the events in the ssl.log. After filtering out a handful of sessions to Microsoft domains i was left with 14 sessions to the same domain,

$ grep -vi microsoft ssl.log | egrep -v "^#"

1595634801.339610	Cn3A9J3XsuEPyebMb4	49697	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	x25519	F	-	-T	FjRzIw3C1jS9SYTy5	(empty)	CN=*,OU=1,O=1,L=1,ST=1,C=XX	CN=*,OU=1,O=1,L=1,ST=1,C=XX	-	-

The complete flag was: flag{}



Leave a comment