Remotely Administrated Evil

Challenge:

What is the name of the executable in the malicious url? Submit the filename as the flag: flag{virus.bad}.

Solution:

The provided Zip archive contained a packet capture file named, RATPack.pcap. I begin all CTF challenges involving a PCAP by utilizing Zeek, with a custom CTF focused script, for initial analysis.

$ /opt/zeek/bin/zeek -Cr RATPack ~/Tools/ctf_pcaps.zeek 

To determine the filename in the malicious URl I first check files.log for a connection ID:

$ cat files.log | zeek-cut conn_uids tx_hosts rx_hosts mime_type

Cxxhh718BBgD1SQOjd	45.40.135.135	172.16.1.219	application/x-dosexec

Connection ID “Cxxhh718BBgD1SQOjd” was the only file related event involving a DOS executable, which I use to search http.log to identify the HTTP session:

1595623874.820854	Cxxhh718BBgD1SQOjd	172.16.1.219	53227	45.40.135.135	80	1	GET	hodrc.org	/ot/solut.exe	-	1.1	-	-	0	1467736	200	OK	-	-	(empty)	-	-	-	-	-	-	FdRg4S3D9tM3erHqrc	-	application/x-dosexec

From the URL path the filename is identified as solut.exe, making the completed flag flag{solut.exe}.

Published:

Updated:

Leave a comment