Post

New C2 Channel

This is a writeup of the Forensics challenge New C2 Channel? by swampCTF

Points: 125

Premise

Sometimes you can exfiltrate data with more than just plain text. Can you figure out how the attacker smuggled out the flag on our network?

Challenge files:

playback.pcap

Observations

Upon opening the file in wireshark, I inspect the first HTTP packet, and see the following first character

Which looks a lot like a ascii art s and part of another character.

Solution

Following the http packets with the string username slowly prints out the flag in ascii format flag

This slowly builds the flag:

swampCTF{w3lc0m3_70_7h3_l4nd_0f_7h3_pc4p}

Tools and sources used:

This post is licensed under CC BY 4.0 by the author.