back to home

GLASSHEADS, pt. 2 Challenge #2 - Insider

This challenge can be found when Sally sends a voice message to Wheeler.

The Setup

Help Sally investigate the exo. Download this network capture and analyze it.

Can you find the attack that was used against the exo and analyze the payload?

We are given an indigo.pcap file.

The Persistence

First thing to do when you're given a file: strings indigo.pcap | grep KEY. Ok no hit this time, but it was worth a shot.

Opening it up with Wireshark, we can see that the capture is over 3500 packets long; I don't want to read through all of that manually.

Using the search tool, I try to look for KEY in the packet bytes. No luck. How about flag? Yes! Frame 3639 contains the data:

.
..
dashboard.php
data
flag.txt
index.php

Ok so whatever this network exchange is, our flag is probably linked to this flag.txt we see here. Looking at the packet right before, frame 3638, we see:

ls -a

Ok so this was the "query" from one entity, and the list of files was the answer from the other entity.

Going up a few packets, we see that the script /tmp/init_persistence.sh was called by the first entity, and that the second entity replied with [+] Persistence established.

Going up further, we see a long command that writes to this shell script, and uses base64 decode to encode its content.

Decoding the base64 string, we get our flag.