Fishy HTTP — HackTheBox

Description

I found a suspicious program on my computer making HTTP requests to a web server. Please review the provided traffic capture and executable file for analysis. (Note: Flag has two parts)

Files provided:

• smphost.exe — 67MB PE64 executable (.NET 8 self-contained)
• sustraffic.pcapng — Network capture (104 frames)

Analysis

Step 1: Initial Reconnaissance

Identified the binary and traffic characteristics:

file smphost.exe
# PE32+ executable (console) x86-64, for MS Windows

tshark -r sustraffic.pcapng -z io,phs
# 104 frames, all TCP/HTTP between client and server at 10.142.0.3
# Pattern: alternating GET / and POST /submit_feedback (9 GET, 4 POST)

The 67MB size immediately suggests a .NET self-contained deployment (bundled runtime). The alternating GET/POST pattern suggests a polling-based C2 protocol.

Step 2: Binary Analysis (smphost.exe)

The executable is a .NET 8 self-contained single-file deployment. The embedded application DLL MyProject.dll (15,872 bytes) was found at offset 0x937000 in the binary, namespace MyNamespace.Program.

Usage: smphost.exe <IPAddress> <Port>

Decompilation revealed a C2 (Command & Control) reverse shell agent that communicates over HTTP disguised as a feedback form. The protocol has two encoding layers:

1. Server → Client: Commands encoded as sequences of HTML tags
2. Client → Server: Output encoded as words replacing Base64 characters

Step 3: Understanding the Protocol

Server → Client (Commands encoded in HTML tags)

The C2 server returns HTML pages where each HTML tag maps to a hex nibble. The sequence of tags forms a hex string that decodes to a shell command.

HTML Tag → Hex Nibble Mapping:

Tag	Hex	Tag	Hex	Tag	Hex	Tag	Hex
cite	0	img	4	div	8	nav	c
h1	1	ul	5	span	9	b	d
p	2	ol	6	label	a	i	e
a	3	button	7	blockquote	f	li	skip

Decoding process: Parse HTML → extract tag names → map each to hex nibble → concatenate → hex decode to ASCII = shell command.

Client → Server (Output encoded as words)

1. Command output is UTF-8 encoded, then Base64 encoded
2. Each Base64 character is replaced with a random word starting with the same letter (preserving case)
3. Numbers and special characters (+, =) are kept as-is
4. The encoded string is submitted as feedback in a POST to /submit_feedback with Name=Test User

Decoding process: Split feedback by spaces → take first character of each token → reconstruct Base64 string → Base64 decode.

Step 4: Decoding the Traffic

Frame 9 → Frame 16: whoami

Command:  whoami
Output:   windows-instanc\pakcyberbot

Frame 31 → Frame 41: systeminfo

Command:  systeminfo
Output:   Windows Server 2016 Datacenter on Google Compute Engine

Frame 60 → Frame 67: dir && type file ← FLAG HERE

The command decoded from HTML tags in frame 60:

dir && cd \Users\pakcyberbot\Documents\ && type HTB{Th4ts_d07n37_

Flag Part 1 is embedded directly in the command: HTB{Th4ts_d07n37_

The POST output from frame 67 (Base64 decoded from word encoding) contains directory listing plus:

'h77P_s73417hy_revSHELL}'

Flag Part 2: h77P_s73417hy_revSHELL}

Frame 84 → Frame 91: Post-exploitation

Command:  dir && cd \Users\pakcyberbot && echo 'you are hacked' > notes.txt
Output:   directory listing

Solution

Decoding HTML Tags (Server → Client)

#!/usr/bin/env python3
"""Decode C2 commands from HTML tag encoding in HTTP responses."""
import re

tag_map = {
    'cite': '0', 'h1': '1', 'p': '2', 'a': '3',
    'img': '4', 'ul': '5', 'ol': '6', 'button': '7',
    'div': '8', 'span': '9', 'label': 'a', 'textarea': 'b',
    'nav': 'c', 'b': 'd', 'i': 'e', 'blockquote': 'f'
}

# Extract opening tags from HTML response body
html_body = "..."  # from tshark -T fields -e http.file_data
tags = re.findall(r'<(\w+)', html_body)

# Filter out 'li' (skip marker) and map to hex nibbles
hex_nibbles = [tag_map[t] for t in tags if t in tag_map]
hex_string = ''.join(hex_nibbles)

# Decode hex to ASCII
command = bytes.fromhex(hex_string).decode('utf-8')
print(f"Command: {command}")

Decoding Word-Encoded Feedback (Client → Server)

#!/usr/bin/env python3
"""Decode C2 output from word-based Base64 encoding in POST feedback."""
import base64

# Extract feedback field from POST body
feedback = "..."  # from tshark -T fields -e urlencoded-form.value

# Each word's first character = original Base64 character
words = feedback.split()
b64_chars = [w[0] for w in words]
b64_str = ''.join(b64_chars)

# Decode Base64 to get original command output
decoded = base64.b64decode(b64_str).decode('utf-8')
print(f"Output: {decoded}")

Full Decode Pipeline

#!/usr/bin/env python3
"""
Complete decoder for Fishy HTTP C2 protocol.
Extracts commands from GET responses and outputs from POST requests.
"""
import re
import base64
import subprocess

pcap = "sustraffic.pcapng"

# Extract HTTP responses (commands)
responses = subprocess.run(
    ["tshark", "-r", pcap, "-Y", "http.response and http.content_type contains html",
     "-T", "fields", "-e", "frame.number", "-e", "http.file_data"],
    capture_output=True, text=True
).stdout.strip().split('\n')

# Extract POST data (outputs)
posts = subprocess.run(
    ["tshark", "-r", pcap, "-Y", "http.request.method == POST",
     "-T", "fields", "-e", "frame.number", "-e", "urlencoded-form.value"],
    capture_output=True, text=True
).stdout.strip().split('\n')

tag_map = {
    'cite': '0', 'h1': '1', 'p': '2', 'a': '3',
    'img': '4', 'ul': '5', 'ol': '6', 'button': '7',
    'div': '8', 'span': '9', 'label': 'a', 'textarea': 'b',
    'nav': 'c', 'b': 'd', 'i': 'e', 'blockquote': 'f'
}

def decode_command(html):
    tags = re.findall(r'<(\w+)', html)
    nibbles = [tag_map[t] for t in tags if t in tag_map]
    return bytes.fromhex(''.join(nibbles)).decode('utf-8', errors='replace')

def decode_output(feedback):
    words = feedback.split()
    b64 = ''.join(w[0] for w in words)
    return base64.b64decode(b64).decode('utf-8', errors='replace')

# Decode and print all exchanges
for resp in responses:
    parts = resp.split('\t', 1)
    if len(parts) == 2:
        frame, html = parts
        cmd = decode_command(html)
        if cmd.strip():
            print(f"[Frame {frame}] Command: {cmd}")

for post in posts:
    parts = post.split('\t', 1)
    if len(parts) == 2:
        frame, data = parts
        # Second field is the feedback value
        fields = data.split('\t')
        if len(fields) >= 2:
            output = decode_output(fields[1])
            print(f"[Frame {frame}] Output: {output[:200]}...")

Key Indicators

Use this technique when you see:

• Alternating GET/POST HTTP traffic pattern (polling-based C2)
• HTML pages with unusual or excessive tag usage (tags as data encoding)
• POST form submissions with seemingly random words (word-based steganography)
• Oversized executables (~67MB) that are .NET self-contained deployments
• Feedback forms or comment submissions used as data exfiltration channels
• Base64-like patterns hidden in natural-looking text

Key Techniques

Technique	Description
HTML Tag Encoding	Each HTML tag name maps to a hex nibble; sequence of tags encodes shell commands
Word-Based Base64 Encoding	Base64 characters replaced by random words starting with the same letter
C2 Traffic Analysis	Identifying command-and-control patterns in HTTP traffic
.NET Decompilation	Extracting and decompiling embedded DLLs from self-contained .NET executables
Protocol Reverse Engineering	Understanding custom encoding schemes by analyzing both binary and traffic

Tools Used

• tshark — PCAP analysis, HTTP field extraction, protocol hierarchy stats
• Python3 — Custom decoding scripts for both encoding layers
• file/strings — Initial binary reconnaissance
• .NET IL Disassembly — Decompilation of embedded MyProject.dll to understand the C2 protocol

Lessons Learned

1. C2 can hide in plain sight — Using standard HTML and feedback forms makes traffic look legitimate
2. Tag names carry data — HTML structure itself (not content) can encode information
3. Word substitution is effective steganography — Replacing Base64 chars with words makes encoded data look like natural text
4. Large .NET executables are suspicious — 67MB console apps bundling the entire .NET runtime are unusual
5. Two-part flags require full analysis — Part 1 was in the command (GET), Part 2 in the output (POST); both encoding layers needed decoding

References

• .NET Single-File Deployment
• HTTP-based C2 Channels
• Steganography in Network Protocols