$ cat writeup.md…
$ cat writeup.md…
hackthebox
I found a suspicious program on my computer making HTTP requests to a web server. Please review the provided traffic capture and executable file for analysis. (Note: Flag has two parts)
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
I found a suspicious program on my computer making HTTP requests to a web server. Please review the provided traffic capture and executable file for analysis. (Note: Flag has two parts)
Files provided:
smphost.exe — 67MB PE64 executable (.NET 8 self-contained)sustraffic.pcapng — Network capture (104 frames)Identified the binary and traffic characteristics:
file smphost.exe # PE32+ executable (console) x86-64, for MS Windows tshark -r sustraffic.pcapng -z io,phs # 104 frames, all TCP/HTTP between client and server at 10.142.0.3 # Pattern: alternating GET / and POST /submit_feedback (9 GET, 4 POST)
The 67MB size immediately suggests a .NET self-contained deployment (bundled runtime). The alternating GET/POST pattern suggests a polling-based C2 protocol.
The executable is a .NET 8 self-contained single-file deployment. The embedded application DLL MyProject.dll (15,872 bytes) was found at offset 0x937000 in the binary, namespace MyNamespace.Program.
Usage: smphost.exe <IPAddress> <Port>
Decompilation revealed a C2 (Command & Control) reverse shell agent that communicates over HTTP disguised as a feedback form. The protocol has two encoding layers:
The C2 server returns HTML pages where each HTML tag maps to a hex nibble. The sequence of tags forms a hex string that decodes to a shell command.
HTML Tag → Hex Nibble Mapping:
...
$ grep --similar