An Evil Christmas Carol 1 and 2
Link to file:
File: https://tinyurl.com/y259doyq
Password: hacktober
An Evil Christmas Carol 1:
Briefing:
A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?
Like the others, you can just filter for http
traffic and get the flag:

flag{205.185.125.104}
An Evil Christmas Carol 2:
Briefing:
What is the domain used by the post-infection traffic over HTTPS?
Use the file from An Evil Christmas Carol.
We're looking for a domain, so it must be a dns
query. Therefore filtering for DNS traffic and specifying the ip (10.0.0.163
as this is the infected client from part 1, and the infected client must've made the query) we can get the flag-

flag{vlcafxbdjtlvlcduwhga.com}
By das
Last updated
Was this helpful?