Level
hard
Type
Forensics
In the wild world of covert data transmission, people have discovered numerous ways to exfiltrate and send data using a variety of methods.
- Open the
PCAPfile (wire.pcapng) inWiresharkor any packet analyzer; observe manyDNSrequests in a short time. - Notice many
DNSqueries have obfuscated subdomains underransomcloud-xg48f7yx5a.com. - Extract subdomains from the
PCAPusing: - Extract printable strings, isolate subdomains before the main domain, remove spaces, and save to
file.txt. - Upload
file.txttoCyberChef
- Decode the file contents twice with Base64 decoding.
- Convert the decoded output from hex to binary.
- Checking the results, we can see that there is a
JFIFheader, which may indicate the picture is corrupted due to incorrect magic bytes. - Save the binary output as a
.jpgfile; observe it appears corrupted. - Upload the corrupted JPEG file to
Jens Duttke HexEd.it - Browser-based Online and Offline Hex Editing - I'm going to search on Google for the header bytes of a JPEG file:
JPG Signature Format: Documentation & Recovery Example
- Replace the first 16 bytes (JPEG header) with, This fixes the
JPEGmagic header. - Save the changes and download the repaired
JPEG. - Open the repaired
JPEGimage. - Read the displayed flag
- Flag:
CTF{Cr4ck_the_C0d3_And_5ee_The_Truth_B3hind_T1m3_4nD_Sp4c3_999}
strings wire.pcapng | grep -oP '.+?(?=.ransomcloud-xg48f7yx5a\.com)' | tr -d ' ' > file.txt
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48
