Fishy HTTP — HackTheBox

Description

I found a suspicious program on my computer making HTTP requests to a web server. Please review the provided traffic capture and executable file for analysis. (Note: Flag has two parts)

Files provided:

• smphost.exe — 67MB PE64 executable (.NET 8 self-contained)
• sustraffic.pcapng — Network capture (104 frames)

Analysis

Step 1: Initial Reconnaissance

Identified the binary and traffic characteristics:

file smphost.exe
# PE32+ executable (console) x86-64, for MS Windows

tshark -r sustraffic.pcapng -z io,phs
# 104 frames, all TCP/HTTP between client and server at 10.142.0.3
# Pattern: alternating GET / and POST /submit_feedback (9 GET, 4 POST)

The 67MB size immediately suggests a .NET self-contained deployment (bundled runtime). The alternating GET/POST pattern suggests a polling-based C2 protocol.

Step 2: Binary Analysis (smphost.exe)

The executable is a .NET 8 self-contained single-file deployment. The embedded application DLL MyProject.dll (15,872 bytes) was found at offset 0x937000 in the binary, namespace MyNamespace.Program.

Usage: smphost.exe <IPAddress> <Port>

Decompilation revealed a C2 (Command & Control) reverse shell agent that communicates over HTTP disguised as a feedback form. The protocol has two encoding layers:

1. Server → Client: Commands encoded as sequences of HTML tags
2. Client → Server: Output encoded as words replacing Base64 characters

Step 3: Understanding the Protocol

Server → Client (Commands encoded in HTML tags)

The C2 server returns HTML pages where each HTML tag maps to a hex nibble. The sequence of tags forms a hex string that decodes to a shell command.

HTML Tag → Hex Nibble Mapping:

...