What the hell happened to the PC?!

Announcement: one of the Resistance computers has been attacked and hacked. It seems that the computer was under various forms of attacks while being exploited as a C2 server.

We need to report to our superiors. Determine the time of success of attack actions performed on the compromised computer. However, the time needs to be reported in the local time of the compromised computer.

Flag Format : CDDC2023{md5(localtime YYYYMMDD-HH:MM:SS)}

To begin the analysis, we navigated to the Statistics > Endpoints > IPV4 Tab.From there, we filtered the results by selecting the highest packet sender under the IPv4 category.

The purpose of this step was to identify the IP address that generated the most network traffic. The assumption was that this IP address belonged to the compromised Resistance computer, as it was likely targeted by the attackers.

Statistics -> Endpoints
Filter by IPv4 -> Highest packets

With the IP address of the highest packet identified (e.g., 192.168.94.159), we applied the filter ip.addr==192.168.94.159 to focus solely on the network traffic associated with that IP address.

Additionally, since the challenge indicated the presence of a C2 server, I further filtered the traffic by selecting the HTTP protocol to isolate the relevant communications.

Filtered by IP Address & HTTP protocol

As we were looking through the filtered results, we noticed something interesting! We noticed that the compromised computer's local time is set in Korean Standard Time (GMT+9). So we took note of this!

Further analysis, we examined the POST requests and discovered evidence of a successful cross-site scripting (XSS) attack. This finding indicated that the compromised computer had been successfully targeted and exploited.

Successful XSS attack.

To determine the exact time of the successful attack action, we followed the TCP stream associated with the XSS attack. During this analysis, we observed a discrepancy of 1 second between the timestamp displayed in the pcap file and the one found within the TCP stream. We noted the timestamp from the TCP stream instead.

Difference of 1 second

Using the timestamp obtained from the TCP stream, we converted it to the local time of the compromised computer. This local time was in the format YYYYMMDD-HH:MM:SS.

Finally, to generate the flag, we MD5 hashed the local time obtained and used it in the required flag format:

CDDC2023{md5(20230503-05:16:35)}

Final Flag: CDDC2023{d6f34555596e3917d42933f66be58cd8}

597KB
What_the_hell_happened_to_the_PC.zip
archive
PreviousEazy Network AnalysisNextAudio Steganography

Last updated