Monday, July 24, 2017

Palo Alto Labyrenth Threat 01 Writeup

Labyrenth 2017 Threat 01

For the first challenge of the threat track we are given a file called challenge.pcap.

Opening the pcap in WireShark reveals a bunch of DNS requests.


Looking at the raw requests one immediately notices a bunch of additional bytes

unusual bytes in DNS request
Given the small file size I decided to manually open the pcap in Notepad++ and extracted the additional bytes.

This gives the following sequence

With the given range of characters I guessed it to be a base64 encoded string, so I used some python code to base64 decode the string and write the result to a file. To avoid decoding errors I just skipped the last byte.

import base64
out_file = open('b64.bin','wb')

Opening the output in HxD reveals the byte sequence "50 4B 03 04" which might indicate a zip file.
b64 decoded file with zip file header

So I tried 7-zip "Extract Here" which gave me some warnings but also extracted a file called file.dat

Opening that file in Notepad++ revealed the first flag:

No comments:

Post a Comment