# Evil Corp's Child 1, 2 and 3 ### Evil Corp's Child 1: #### Briefing: ``` What is the MD5 hash of the Windows executable file? NOTE: If you extract any files within this challenge, please delete the file after you have completed the ``` #### Link to pcap file: ``` link: https://tinyurl.com/y3oltdh5 password: hacktober ``` Right so they started off easy. Opening up the pcap I used the `http` display filter to show packets of this protocol: ![](https://815184494-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MInDVexIZ47VkOdGSlp%2F-MKHdDz3hy5_LLsZPDaK%2F-MKHfCNbgORuhWfb-qiD%2FScreenshot%202020-10-23%20at%2000.37.37.png?alt=media\&token=78dfbb5e-376b-474c-b51d-adb32bf5d9c2) Opening up the details for the first packet, we can see the `full request URL` at . I then ran `wget`[`http://www.sinotes.com/wp-content/themes/avada/picture4.png`](http://www.sinotes.com/wp-content/themes/avada/picture4.png)to download the file. As the brief suggests, this is not a png but rather a windows executable. Therefore renaming it to `ecorp.exe` and running the command `md5sum ecorp.exe` gives us the flag of `flag{a95d24937acb3420ee94493db298b295}`. ### Evil Corp's Child 2: #### Briefing: ``` The malware uses four different ip addresses and ports for communication, what IP uses the same port as https? Submit the flag as: flag{ip address}. Use the file from Evil Corp's Child. ``` Here, we need to use some display filters to refine our search. Firstly, we know it uses the same port as HTTPS. This is port 443. Secondly, We're talking about the malware and know that the infected client's ip is `192.168.1.91` from challenge 1. Putting this into a display filter would look like this: ![](https://815184494-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MInDVexIZ47VkOdGSlp%2F-MKHdDz3hy5_LLsZPDaK%2F-MKHi2Iwd3fhd8Qv6y6C%2FScreenshot%202020-10-23%20at%2000.50.00.png?alt=media\&token=91a362e0-ec3a-4c3a-9554-a3e75b6cb6d1) Although there are quite a few packets, there are only so many different ips, so trying about 5 got me the correct answer, which was `flag{213.136.94.177}` . ### Evil Corp's Child 3: #### Briefing: ``` What is the localityName in the Certificate Issuer data for HTTPS traffic to 37.205.9.252? Use the file from Evil Corp's Child. ``` This was an interesting one. After some googling, I found out that Certificates are sent during tls handshakes, as TLS is used to encrypt HTTP traffic, making it HTTPS. The Display filter i needed to show these packets was `tls.handshake.type == 11`. ![](https://815184494-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MInDVexIZ47VkOdGSlp%2F-MKHdDz3hy5_LLsZPDaK%2F-MKHjBplO8FTsHkkhlVc%2FScreenshot%202020-10-23%20at%2000.55.02.png?alt=media\&token=1f0a2d13-9315-416f-a8fe-05ac69cfae62) As said in the brief, we need the packet from the source IP `37.205.9.252` . Therefore expaning this packet's details, then `TLSv1.2 Record Layer: Handshake Protocol: Certificate` then `Handshake Protocol: Certificate` then `Certificates` then `subject: rdnSequence (0)` finally gives us the LocalityName. ![In the bottom right is the LocalityName](https://815184494-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MInDVexIZ47VkOdGSlp%2F-MKHdDz3hy5_LLsZPDaK%2F-MKHkKrhck0hH-S43DEP%2FScreenshot%202020-10-23%20at%2001.00.01.png?alt=media\&token=8d2ba217-afc7-4c93-8bcd-8c3ebc6bd74f) `flag{Mogadishu}` By das :)