Cyber Apocalypse 2022 — Automation

This challenge was from the forensics category of Cyber Apocalypse 2022. For the challenge we had to download a PCAP file and analyze it.

Analyzing the PCAP

After opening the PCAP in Wireshark, I have inspected the files that got transfered. One of the file had the content type of image/png:

I have exported it, then analyzed it and it wasn’t a image file but a text file containing base64 encoded data:

Decoding it showed it was a powershell script:

Analyzing the Powershell Script

One of the strings was base64 encoded and contained the first part of the flag:

Furthermore the script contains a routine to send data over a DNS A query:

So I have analyzed the PCAP to find the queries:

Getting the rest of the flag

The subdomain query could be transfered into base64 with the following CyberChef recipe:

After that I have decrypted the base64 string by using the following script and pasting the string into the $encryptedString variable:

Finally I was able to retrieve the flag.