Skip to main content
HashnodeREAPSEC

Command Palette

Search for a command to run...

Endpoint

(Easy Forensics Challenge)

Updated
Endpoint
M
MOHIT SINGH PAPOLA
Part of seriesHTB CHALLENGES

OVERVIEW

Let’s inspect the downloaded Capture.pcap file in wireshark

Let’s follow any one request into TCP stream as it looks like some data is present there

We can see a long list of strings like this:

  • So There are two ways to solve this challenge :

  • Manually

  • Scripting

Manual Approach

So First Save any request TCP Stream with Save as button

Now I used Both Notepad And VS Code to remove the unnecessary part using Find & Replace functionality

So Open Notepad and press Ctrl + H to open Replace functionality

Now Select the unnecessary element and replace them all with space like shown below:

So after replacing everything unnecessary and just leaving the strings you will get the final results like this:

Now Copy all of them and go to this website https://www.browserling.com/tools/remove-all-whitespace

And Paste All Your Content In This And Click On Remove Spaces Button

Now, Press copy to clipboard to copy the output and Head to CyberChef

Either Press that magic wand or just add base64 decode recipe

Now Scroll the Output Till You Get this

Copy The Last String from that link which is

SFRCe2NodW5rNV80bmRfdWRmX2Ywcl9icjM0a2Y0NTd9

Now Again Paste It Into CyberChef And Base64 decode it and you will get the flag

SCRIPTING / AUTOMATION

So In scripting you have to automate all this manual work in a single script with python So Below is the script that will do all this work and give you the flag

NOTE : Be Sure To Put The Script And Capture.pcap File In Same Directory

 #!/usr/bin/env python3
# pcap_to_flag.py
import struct, socket, re, base64

PCAP = 'capture.pcap'
OUT_COLLECTED = 'collected_vals.txt'

with open(PCAP, 'rb') as f:
    data = f.read()

# parse pcap global header (little-endian magic 0xa1b2c3d4)
off = 0
if len(data) < 24:
    raise SystemExit("pcap too small")
magic,ver_major,ver_minor,thiszone,sigfigs,snaplen,network = struct.unpack('<IHHIIII', data[off:off+24])
off += 24

streams = {}
pkt_count = 0
while off + 16 <= len(data):
    ts_sec,ts_usec,incl_len,orig_len = struct.unpack('<IIII', data[off:off+16])
    off += 16
    pkt = data[off: off+incl_len]
    off += incl_len
    pkt_count += 1
    if len(pkt) < 14: continue
    eth_type = struct.unpack('!H', pkt[12:14])[0]
    if eth_type != 0x0800: continue
    ip = pkt[14:]
    if len(ip) < 20: continue
    ihl = ip[0] & 0x0F
    ip_header_len = ihl*4
    proto = ip[9]
    src = socket.inet_ntoa(ip[12:16])
    dst = socket.inet_ntoa(ip[16:20])
    if proto != 6: continue
    tcp = ip[ip_header_len:]
    if len(tcp) < 20: continue
    srcp = struct.unpack('!H', tcp[0:2])[0]
    dstp = struct.unpack('!H', tcp[2:4])[0]
    # skip the TCP header (data offset)
    data_offset = (tcp[12] >> 4) * 4
    payload = tcp[data_offset:]
    if not payload: continue
    # only capture flows where either src or dst port is 3306
    if srcp == 3306 or dstp == 3306:
        key = (src, srcp, dst, dstp)
        streams.setdefault(key, bytearray()).extend(payload)

# Normalize bidirectional flows by pairing tuples
norm = {}
for (s,sp,d,dp),payload in streams.items():
    # canonicalize order
    k = tuple(sorted([(s,sp),(d,dp)]))
    norm.setdefault(k, bytearray()).extend(payload)

# concatenate all normalized streams (or pick the biggest one)
all_payload = b''
for k,p in norm.items():
    all_payload += bytes(p)

text = all_payload.decode('latin1', errors='ignore')

# extract base64 fragments inside VALUES('...') in order
parts = re.findall(r"VALUES\s*\(\s*'([A-Za-z0-9+/=_\-]{8,})'\s*\)", text, flags=re.IGNORECASE)
with open(OUT_COLLECTED,'w') as f:
    for p in parts:
        f.write(p + '\n')

print("Collected", len(parts), "fragments ->", OUT_COLLECTED)

# decode fragments
decoded = []
for p in parts:
    clean = re.sub(r'[^A-Za-z0-9+/=_\-]', '', p).replace('-', '+').replace('_','/')
    clean += '=' * ((4 - len(clean)%4) % 4)
    try:
        decoded.append(base64.b64decode(clean))
    except:
        decoded.append(b'')

big = b''.join(decoded)
txt = big.decode('latin1', errors='ignore')

# find and display curl and token
m = re.search(r'packages/callback/([A-Za-z0-9\-_+=/]{8,300})', txt)
if m:
    tok = m.group(1)
    print("Found token:", tok)
    t = tok.replace('-', '+').replace('_','/')
    t += '=' * ((4 - len(t)%4)%4)
    try:
        print("Decoded token:", base64.b64decode(t).decode('utf-8', errors='ignore'))
    except Exception as e:
        print("Failed to decode token:", e)

# fallback: look for HTB{...}
m2 = re.search(r'HTB\{.*?\}', txt, re.DOTALL)
if m2:
    print("Found HTB flag:", m2.group(0))

which will give you the flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

#endpoint-htb-writeup#htb-writeup#htb-machines#hack-the-box#reapsec#walkthrough#challenge#ctf#ctf-writeup#forensics

Comments

Join the discussion

No comments yet. Be the first to comment.

HTB CHALLENGES

Part 5 of 13

In this series i will provide you HTB Retired challenges Full Walkthrough of various categories. Hope You Will Like It !!

Up next

SpookTastic

(Very Easy Web Challenge)

More from this blog

R

REAPSEC

27 posts

YOU REAP WHAT YOU SOW!!