forensicsProhard

The Art of Capture

hackthebox

Task: minidump + PCAP of a custom Nim AES-128-CTR HTTP C2; recover crypto, decrypt traffic, and reconstruct a two-part flag. Solution: carve the Nim implant from the dump, Unicorn-emulate a XOR-rolling-counter key derivation to get the real key, AES-CTR-decrypt all C2 traffic (flag part 1 in a double-base64+gzip screenshot ASCII art), then RC4-self-decrypt the uploaded rev.exe shellcode loader for flag part 2.

multi_stage rc4 pcap minidump shellcode aes_ctr gzip c2 zlib nim nimcrypto metasploit screenshot_exfil

http_object_exportminidump_pe_carvingunicorn_emulation_key_derivationxor_rolling_counter_keyaes_128_ctr_decryptmulti_layer_base64_gzipzlib_inflaterc4_self_decrypting_shellcodefiglet_ascii_art_flag

$ ls tags/ techniques/

multi_stage rc4 pcap minidump shellcode aes_ctr gzip c2 zlib nim nimcrypto metasploit screenshot_exfil

http_object_exportminidump_pe_carvingunicorn_emulation_key_derivationxor_rolling_counter_keyaes_128_ctr_decryptmulti_layer_base64_gzipzlib_inflaterc4_self_decrypting_shellcodefiglet_ascii_art_flag

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups