Posts: 18
Threads: 9
Joined: Nov 2024
Mar 25, 2025, 11:17 PM
(This post was last modified: Mar 25, 2025, 11:19 PM by bracket.)
Got 4 flags in Forensics - ToolPie
What is the IP address responsible for compromising the website?
What is the name of the endpoint exploited by the attacker?
What is the name of the obfuscation tool used by the attacker?
What is the IP address and port used by the malware to contact C2?
Posts: 8
Threads: 1
Joined: Mar 2025
I'm interested in the 2 last flags which are not here
Posts: 18
Threads: 9
Joined: Nov 2024
Mar 25, 2025, 11:42 PM
(This post was last modified: Mar 25, 2025, 11:44 PM by bracket.)
Posts: 14
Threads: 0
Joined: Jul 2023
the key is near the response of 'whoami' and the IV.... 
Posts: 8
Threads: 1
Joined: Mar 2025
(Mar 26, 2025, 02:01 AM)nnrrkk Wrote: the key is near the response of 'whoami' and the IV....
Can you tell how to decompiled it? I know what unfusctaor is used but I'm stuck
Posts: 14
Threads: 0
Joined: Jul 2023
(Mar 26, 2025, 07:07 AM)adyadam Wrote: (Mar 26, 2025, 02:01 AM)nnrrkk Wrote: the key is near the response of 'whoami' and the IV....
Can you tell how to decompiled it? I know what unfusctaor is used but I'm stuck
import bz2
import marshal
import dis
data = b'BZh91AY&SY=\xe9........'
decompressed_data = bz2.decompress(data)
code_object = marshal.loads(decompressed_data)
dis.dis(code_object)
print("Variables:", code_object.co_varnames)
print("Constants:", code_object.co_consts)
Posts: 8
Threads: 1
Joined: Mar 2025
(Mar 26, 2025, 07:20 AM)nnrrkk Wrote: (Mar 26, 2025, 07:07 AM)adyadam Wrote: (Mar 26, 2025, 02:01 AM)nnrrkk Wrote: the key is near the response of 'whoami' and the IV....
Can you tell how to decompiled it? I know what unfusctaor is used but I'm stuck
import bz2
import marshal
import dis
data = b'BZh91AY&SY=\xe9........'
decompressed_data = bz2.decompress(data)
code_object = marshal.loads(decompressed_data)
dis.dis(code_object)
print("Variables:", code_object.co_varnames)
print("Constants:", code_object.co_consts)
I had something similar, but I get this kind of erro:
Traceback (most recent call last):
File "/home/hackerman/execute.py", line 9, in <module>
dis.dis(code_object)
File "/usr/lib/python3.12/dis.py", line 113, in dis
_disassemble_recursive(x, file=file, depth=depth, show_caches=show_caches, adaptive=adaptive)
File "/usr/lib/python3.12/dis.py", line 554, in _disassemble_recursive
disassemble(co, file=file, show_caches=show_caches, adaptive=adaptive)
File "/usr/lib/python3.12/dis.py", line 547, in disassemble
_disassemble_bytes(_get_code_array(co, adaptive),
File "/usr/lib/python3.12/dis.py", line 585, in _disassemble_bytes
for instr in _get_instructions_bytes(code, varname_from_oparg, names,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/dis.py", line 487, in _get_instructions_bytes
argval, argrepr = _get_name_info(arg, get_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/dis.py", line 401, in _get_name_info
argval = get_name(name_index, **extrainfo)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
IndexError: t
Posts: 18
Threads: 3
Joined: Sep 2024
Same problem here, any clues? Maybe the python version?
Posts: 14
Threads: 0
Joined: Jul 2023
(Mar 26, 2025, 08:26 AM)sdksdk Wrote: Same problem here, any clues? Maybe the python version?
clean the "data" a bit?
like \\xd4 => \xd4 remove escape characters
Posts: 8
Threads: 1
Joined: Mar 2025
(Mar 26, 2025, 09:30 AM)nnrrkk Wrote: (Mar 26, 2025, 08:26 AM)sdksdk Wrote: Same problem here, any clues? Maybe the python version?
clean the "data" a bit?
like \\xd4 => \xd4 remove escape characters
It's cleaned 
|
