Skip to main content

Day 1: Baby APT

challenge description
This is the most wonderful time of the year, but not for Santa's incident response team.
Since Santa went digital, everyone can write a letter to him using his brand new website.
Apparently an APT group hacked their way in to Santa's server and destroyed his present list.
Could you investigate what happened?

We are presented with a pcap file to download called christmaswishlist.pcap.


There are a lot of TCP and HTTP packets. We can simply view the TCP streams. Seems like most of them showcase an exploitation attempt and evidence.

Id command

We can see that the attacker managed to perform some form of command injection into the Drupal application.

Scrolling through the various streams, only the last one stand out.

Weird commands

Hmm. Some fun commands from the attacker!

Let's base64 decode it to find out what was sent.

echo SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 | base64 -d