Download and unzip the attached file. The pcap file will be extracted from the zip file. Open the wireshark and go through packets.. I filtered packets with HTTP protocol. Then I found suspicious command injections. It seems it’s executing bash shell on 192.168.1.180. So, I filtered packets with the IP address 192.168.1.180. Then I checked … Read More “Hack the box: Wrong Spooky Season write up” »
Tag: forensics
Download the zip file and unzip it. You will get the email with encoded contents. The first encoded block is like below. It’s saying it is base64 encoded. Let’s decode it from cyberchef. Then you will get the message from the leader of resistance. Now let’s check the second encoded block. When decode it, the … Read More “Hack the box – Urgent write up” »
I share the solution of “an unusual sighting” challenge from hack the box. Connect to the host machine using netcat. Then it will ask us questions. All the answers can be found in the log files. IP Address and Port of the SSH Server 100.107.36.130:2221 What time is the first successful Login 2024-02-13 11:29:50 What … Read More “Hack the box – An unusual sighting” »
Description Figure out how they moved the flag. Solution Download the file. It is a packet file. Open it with wireshark. The log shows it’s looking for mac addresses. And tons of TFTP packets are following. I noticed some files are sent over the TFPT. Let’s check the files. Filter the packets with tftp.type Ok, … Read More “picoCTF2021 – Trivial Flag Transfer Protocol” »
Description I’ve hidden a flag in this file. Can you find it? Forensics is fun.pptm Solution Let’s see what is hidden in the ppt file. OK, There are quite many files hidden. Let’s extract them. Then we get the directory called _Forensics is fun.pptm.extracted Let’s see what’s inside. Found the file hidden! What’s written inside … Read More “picoCTF2021 – MacroHard WeakEdge write up” »
Description Files can always be changed in a secret way. Can you find the flag? cat.jpg Solution Check out the details of the attached image file. exiftool can be used. Then, we get the result as below. License looks like base 64 encoded. Let’s decode it. picoCTF{the_m3tadata_1s_modified}