What is the name of the executable in the malicious url? Submit the filename as the flag:
The provided Zip archive contained a packet capture file named, RATPack.pcap. I begin all CTF challenges involving a PCAP by utilizing Zeek, with a custom CTF focused script, for initial analysis.
$ /opt/zeek/bin/zeek -Cr RATPack ~/Tools/ctf_pcaps.zeek
To determine the filename in the malicious URl I first check files.log for a connection ID:
$ cat files.log | zeek-cut conn_uids tx_hosts rx_hosts mime_type Cxxhh718BBgD1SQOjd 126.96.36.199 172.16.1.219 application/x-dosexec
Connection ID “Cxxhh718BBgD1SQOjd” was the only file related event involving a DOS executable, which I use to search http.log to identify the HTTP session:
1595623874.820854 Cxxhh718BBgD1SQOjd 172.16.1.219 53227 188.8.131.52 80 1 GET hodrc.org /ot/solut.exe - 1.1 - - 0 1467736 200 OK - - (empty) - - - - - - FdRg4S3D9tM3erHqrc - application/x-dosexec
From the URL path the filename is identified as solut.exe, making the completed flag