Evil Corp's Child 1
Challenge:
What is the MD5 hash of the Windows executable file?
NOTE: If you extract any files within this challenge, please delete the file after you have completed the challenge.
Solution:
I begin all CTF challenges involving a PCAP by utilizing Zeek, with a custom CTF focused script, for initial analysis.
$ /opt/zeek/bin/zeek -Cr ECorp.pcap ~/Tools/ctf_pcaps.zeek
The challenge description states that I should be looking for a file so I check to see if any were extracted by Zeek:
$ ls extract_files/
HTTP-1595629994.exe
Only one file was extracted from the PCAP so I go ahead and calculate its MD5 hash:
$ md5sum extract_files/HTTP-1595629994.exe
a95d24937acb3420ee94493db298b295 extract_files/HTTP-1595629994.exe
The complete flag is flag{a95d24937acb3420ee94493db298b295}
.
Leave a comment