Download and unzip the attached file.
The pcap file will be extracted from the zip file.
Open the wireshark and go through packets..
I filtered packets with HTTP protocol. Then I found suspicious command injections.
It seems it’s executing bash shell on 192.168.1.180.
So, I filtered packets with the IP address 192.168.1.180.
Then I checked the TCP stream of the packets.
In the last part of the stream, I found an encoded command.
If you read it carefully, it is reversed base64 encoded command.
I reversed it again and decoded.
echo "==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS" | rev | base64 -d
HTB{j4v4_5pr1ng_just_b3c4m3_j4v4_sp00ky!!}
