Hack The Box Cyber Santa CTF - Forensics Day 1 - Baby APT Writeup

 

Challenge File:  forensics_baby_apt.zip

This is a quick one flag!  The zip file contains a PCAP file called, "christmaswishlist.pcap", so naturally, I opened it in Wireshark:

I right-clicked any line and followed the TCP Stream, and clicked through each Stream Index to see if I can find anything interesting.  At stream 30, I saw a base64 encoded string:

Base64:  SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59

I decoded it on the command line to get the flag:  

echo SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 | base64 -d

HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n}

I also found this base64 using "strings christmaswishlist.pcap".  Nice and easy!  This was a nice break from reverse engineering binaries.