warmup

In this short scenario, intended as a warm‑up for the next major task, the victim reported that all of his credentials had been stolen. We’re given only a pcapng file to work with.

Reviewing the traffic, we see multiple HTTP login attempts across various websites and a series of strange Base64‑encoded strings sent to a specific port. The goal here was for players to think about how the credentials were stolen. It wasn’t tied to a single website or a single password. Another clue: the suspicious packets weren’t part of one continuous stream, they were spread out over time.

The intended realization was that this was the output of a keylogger.

So, what next? If an attacker wants to exfiltrate data, they’ll try to avoid detection. And if they are detected, they won’t want the victim to easily understand what was stolen. In this case, the attacker used a keyed encryption method.

We know the key is plaintext (since it’s the flag), the messages were plaintext, and the encrypted payload was unreadable. Since this is a warm‑up challenge, nothing too complex was used. The encryption was simply XOR. By Base64‑decoding the payload and XORing it with the plaintext, you can recover the key.

import base64

b64_data = "REIKBzA+FRgALCMHFxYWJ1MMEDcuCRUcMA=="
decoded_bytes = base64.b64decode(b64_data)

payload = b"\nsiboupasswordsibouhelloo"

def xor_bytes(data, key):
    return bytes([b ^ key[i % len(key)] for i, b in enumerate(data)])

result = xor_bytes(decoded_bytes, payload)
print(result.decode('utf-8'))

Result: N1ce_Keys_There