Fake Boost

Personal Rating: Easy

We have a pcapng file, which can be opened and inspected with Wireshark.

Following the only http stream did not yield anything iteresting.

There are many conversations, those are the ones with the most packets.

This did not yield much

Since http is unencrypted and we have a good chance of finding data there, I searched for it, which shew this:

I deobfuscated the script like this:

• change variable names

• deobfuscate string concatenations

• reverse and base64 decode the large script block

The script block loads something from the following URL and then does some AES encryption

$URL = "http://192.168.116.135:8080/rj1893rj1joijdkajwda"

Searching for that in Wireshark yields this:

base64 decoding this does not work, so it is likely the aes key or encrypted string. Lets find out

Using an online decoder I could decrypt the code (key is as string, cipher and result are in base64):

KEY: cWphrNTk9wgWZ93t19jayqnlaDuIeFKi

CIPHER: bEG+rGcRyYKeqlzXb0QVVRvFp5E9vmlSSG3pvDTAGoba05Uxvepwv++0uWe1Mn4LiIInZiNC/ES1tS7Smzmbc99Vcd9h51KgA5Rs1t8T55Er5ic4FloBzQ7tpinw99kC380WRaWcq1Cc8iQ6lZBP/yqJuLsfLTpSY3yIeSwq8Z9tusv5uWvd9E9V0Hh2Bwk5LDMYnywZw64hsH8yuE/u/lMvP4gb+OsHHBPcWXqdb4DliwhWwblDhJB4022UC2eEMI0fcHe1xBzBSNyY8xqpoyaAaRHiTxTZaLkrfhDUgm+c0zOEN8byhOifZhCJqS7tfoTHUL4Vh+1AeBTTUTprtdbmq3YUhX6ADTrEBi5gXQbSI5r1wz3r37A71Z4pHHnAoJTO0urqIChpBihFWfYsdoMmO77vZmdNPDo1Ug2jynZzQ/NkrcoNArBNIfboiBnbmCvFc1xwHFGL4JPdje8s3cM2KP2EDL3799VqJw3lWoFX0oBgkFi+DRKfom20XdECpIzW9idJ0eurxLxeGS4JI3n3jl4fIVDzwvdYr+h6uiBUReApqRe1BasR8enV4aNo+IvsdnhzRih+rpqdtCTWTjlzUXE0YSTknxiRiBfYttRulO6zx4SvJNpZ1qOkS1UW20/2xUO3yy76Wh9JPDCV7OMvIhEHDFh/F/jvR2yt9RTFId+zRt12Bfyjbi8ret7QN07dlpIcppKKI8yNzqB4FA==

RESULT: dWkoChd3eVjYVSjuCjZOeFsNCiAgICB7DQogICAgICAgICJJRCI6ICAiMTIxMjEwMzI0MDA2NjUzNTQ5NCIsDQogICAgICAgICJFbWFpbCI6ICAiWWpOWE5ISXpYekJtWDFRd01GOW5NREJrWHpKZllqTmZOM0oxTTE4d1ptWXpjalY5IiwNCiAgICAgICAgIkdsb2JhbE5hbWUiOiAgInBocmVha3NfYWRtaW4iLA0KICAgICAgICAiVG9rZW4iOiAgIk1vSXh0akV3TXoyME01QXJOalV6TlRRNU5BLkd3My1HVy5iR3lFa09WbFpDc2ZROC02RlFueGM5c01hMTVoN1VQM2NDT0ZOayINCiAgICB9LA0KICAgIHsNCiAgICAgICAgIklEIjogICIxMjEyMTAzMjQwMDY2NTM1NDk0IiwNCiAgICAgICAgIkVtYWlsIjogICJZak5YTkhJelh6Qm1YMVF3TUY5bk1EQmtYekpmWWpOZk4zSjFNMTh3Wm1ZemNqVjkiLA0KICAgICAgICAiR2xvYmFsTmFtZSI6ICAicGhyZWFrc19hZG1pbiIsDQogICAgICAgICJUb2tlbiI6ICAiTW9JeHRqRXdNejIwTTVBck5qVXpOVFE1TkEuR3czLUdXLmJHeUVrT1ZsWkNzZlE4LTZGUW54YzlzTWExNWg3VVAzY0NPRk5rIg0KICAgIH0NCl0=

Decoding that yields this:

ui(
wyXØU(î
6Nx[
    {
        "ID":  "1212103240066535494",
        "Email":  "YjNXNHIzXzBmX1QwMF9nMDBkXzJfYjNfN3J1M18wZmYzcjV9",
        "GlobalName":  "phreaks_admin",
        "Token":  "MoIxtjEwMz20M5ArNjUzNTQ5NA.Gw3-GW.bGyEkOVlZCsfQ8-6FQnxc9sMa15h7UP3cCOFNk"
    },
    {
        "ID":  "1212103240066535494",
        "Email":  "YjNXNHIzXzBmX1QwMF9nMDBkXzJfYjNfN3J1M18wZmYzcjV9",
        "GlobalName":  "phreaks_admin",
        "Token":  "MoIxtjEwMz20M5ArNjUzNTQ5NA.Gw3-GW.bGyEkOVlZCsfQ8-6FQnxc9sMa15h7UP3cCOFNk"
    }
]

base64 decoding the Email yields this: b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}

This flag is wrong: HTB{b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}

I found the first part. There is a variable called part1 in the script. Base64 decoding it and prepending it to the rest of the flag yields the final flag:

$part1 = "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf"

HTB{fr33_N17r0G3n_3xp053d!_b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}