Acknowledge the corn

snail12q · 02-06-25, 12:35 AM

Hi,

HTB{C2s_4r3_n0t_4lw4ys_4_s4f3_c0mmun1c4t10n_ch4nn3l}

enjoy

Ave

PoseidonT_T · 24-07-25, 01:28 AM

but I need more detailed how to solve this task. Can you analyze it?

sentap · (This post was last modified: 28-07-25, 02:16 PM by sentap.)

(24-07-25, 01:28 AM)PoseidonT_T Wrote: but I need more detailed how to solve this task. Can you analyze it?

the challenge usually gives you a pcap file for network capture or maybe a memory dump. if its pcap, just open it up with wireshark. if its the memory dump kinda thing, use volatility on it with the target systems profile... like vol.py -f dump.mem --profile=win7sp1x64 pslist and so on...
in wireshark, head over to statistics > protocol hierarchy. look for sketchy protocols like http, tcp, or resp if its redis related. a lot of c2 traffic uses http or some custom protocols... yeah... filter with http or tcp.port == 80 || tcp.port == 443 for web stuff. if its c2, your gonna see base64 encoded data or obfuscated payloads maybe...
searching for artifacts: run strings on the file like strings capture.pcap | grep -i "source|code|key|c2". hunt for words such as source code, backup, or zip files. in similar chalenges, the server source code is hidden in a zip...
in the traffic, check for http post/get that moves a zip or backup file... like backup_development.zip or somethin.
if its in memory dump, use volatility plugin dumpfiles: vol.py -f dump.mem --profile=win7sp1x64 dumpfiles -q 0xaddress -d output/ ... get that address from filescan first...
extract the zip file. it might have an encrypted volume like truecrypt .tc inside.
if its password protected, use volatility plugin truecryptpassphrase: vol.py -f dump.mem --profile=win7sp1x64 truecryptpassphrase.
mount the volume with veracrypt do not forget to enter the password. inside you will find folders like malware_agent or server_source, including