This is a part of a series of writeups for a malware challenge I made for DamCTF 2020. Please see here for the overview.

Phase 1

As a part of your daily work at IcyRetina (one of the world’s most premier cybersecurity companies), you’re always finding interesting malware and exploits in client environments. Today, you’re triaging an alert for some traffic at a client site that triggered one of your Snort rules (called CLEARTEXT_ELF_LIB). Can you find something suspicious in the PCAP?

The flag for this challenge is the lowercase SHA-256 hash of the suspicious file, wrapped in dam{...}

Download PCAP

Players are given a PCAP file with a couple thousand packets, and need to find the malware sample to continue their analysis in Phase 2. Luckily, the challenge description indicates that the file in question is an ELF, and there is only one occurence of ELF in packet data. Players could use Wireshark to manually export the file contents, but I used Zeek to extract the file:

$ zeek -C -r alert.pcapng policy/frameworks/files/extract-all-files.zeek

There are only 4 files extracted by Zeek, so players can easily identify which one is the malware:

$ file extract_files/*
extract_files/extract-1601075727.716824-SSL-FF3y541p5rePWfuhN6:  data
extract_files/extract-1601075727.716824-SSL-Fg9sbh18GWhtmeepjc:  Certificate, Version=3
extract_files/extract-1601075727.716824-SSL-FpqOmi45F9BlaeneKd:  Certificate, Version=3
extract_files/extract-1601075730.597745-HTTP-FvtuaL37IjCnEVi3Oa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=31cb8cc7d49dbc9d6894c9f082116d2c739b8753, stripped
$ sha256sum extract_files/extract-1601075730.597745-HTTP-FvtuaL37IjCnEVi3Oa 
fc5333c5d1de963b52e57c512e10cf0e37153ac917b7040cf5f95a628a601b10  extract_files/extract-1601075730.597745-HTTP-FvtuaL37IjCnEVi3Oa

Flag for Phase 1:

dam{fc5333c5d1de963b52e57c512e10cf0e37153ac917b7040cf5f95a628a601b10}