Writeups
  • crypt0nite
  • CTFs
    • darkctf
      • Web
        • Simple SQL
      • Rev
        • helloworld
      • pwn
        • roprop
        • newPAX
      • OSINT
        • Find Cell
        • Dark Social Web
      • Linux
        • Linux Starter
        • Find Me
      • forensics
        • Wolfie's Contact
        • Free Games
        • AW
      • crypto
        • haXXor
        • Pipe Rhyme
    • csictf
      • Crypto
        • Mein Kampf
        • Rivest-Shamir-Adleman
      • Linux
        • AKA
      • Miscellaneous
        • No DIStractions
      • OSINT
        • Pirates of the Memorial
        • Commitment
        • Flying Places
        • Shaken
      • Pwn
        • Pwn Intended 0x1
        • Pwn Intended 0x2
        • Pwn Intended 0x3
        • Global Warming
        • Smash
        • Secret Society
      • Reversing
        • Blaise
        • RicknMorty
      • Web
        • Oreo
        • Mr. Rami
        • The Confused Deputy
    • NahamCon
      • Crypto
        • Unvreakable Vase
        • Ooo-La-La
        • HomeCooked
        • DocXor
      • Forensics
        • Volatile
        • Microsooft
        • Cow Pie
      • Miscellaneous
        • Fake File
        • Alkatraz
      • Mobile
        • CAndroid
        • Simple App
      • OSINT
        • New Year's Solutions
        • Tron
      • Pwn
        • Dangerous
      • Scripting
        • Rotten
        • Really Powerful Gnomes
      • Steganography
        • KSteg
      • Web
        • PHPhone Book
        • Official Business
        • Localghost
        • Agent 95
    • BSides Delhi
      • Thanks for Attending
      • Cookie Robot
    • hacktoberctf
      • Traffic Analysis
        • Evil Corp's Child 1, 2 and 3
        • Remotely Administered Evil 1 and 2
        • An Evil Christmas Carol 1 and 2
      • Forensics
        • Captured Memories
        • Amcaching In
      • Linux
        • Talking To The Dead
Powered by GitBook
On this page
  • An Evil Christmas Carol 1:
  • An Evil Christmas Carol 2:

Was this helpful?

Export as PDF
  1. CTFs
  2. hacktoberctf
  3. Traffic Analysis

An Evil Christmas Carol 1 and 2

PreviousRemotely Administered Evil 1 and 2NextForensics

Last updated 4 years ago

Was this helpful?

Link to file: 

File: https://tinyurl.com/y259doyq
Password: hacktober

An Evil Christmas Carol 1:

Briefing: 

A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?

Like the others, you can just filter for http traffic and get the flag:

flag{205.185.125.104}

An Evil Christmas Carol 2:

Briefing: 

What is the domain used by the post-infection traffic over HTTPS?
Use the file from An Evil Christmas Carol.

We're looking for a domain, so it must be a dns query. Therefore filtering for DNS traffic and specifying the ip (10.0.0.163 as this is the infected client from part 1, and the infected client must've made the query) we can get the flag-

flag{vlcafxbdjtlvlcduwhga.com}

By das