Post

TryHackMe Mayhem

Posted Updated
By
1 min read
TryHackMe Mayhem

Mayhem

Mayhem Screenshot

Beneath the tempest’s roar, a quiet grace,
Mayhem’s beauty hides in an unexpected place.
Within the chaos, a paradox unfolds—
A story of beauty that disorder molds.

Initial Investigation

To begin, I opened the provided pcap file in Wireshark to examine its contents.

alt text

The analysis revealed that a PowerShell command was executed, downloading a file named notepad.exe. This action initiated a command and control (C2) connection with a remote server.

alt text

While it’s possible to directly access and download these files, that doesn’t always yield all the necessary information.

Details of Network Requests

  • GET /install.ps1:
    The client, likely via PowerShell’s HTTP capabilities, requested a script file called install.ps1 from server 10.0.2.37 on port 1337.
  • The user (or attacker) downloaded install.ps1 from a Python SimpleHTTPServer instance.
  • The script is designed to automatically fetch notepad.exe from the same server and save it locally.
  • Lastly, it executes the downloaded executable.

alt text

Analysis Using Havoc C2 Parser

Further inspection shows the code is related to Havoc C2. To decode and fully understand the network traffic, I leveraged a Python parser.

I used the file below, making minor modifications to suit my needs:

Havoc C2 Pcap Parser

alt text

we can answer all the questions from this code

alt text

alt text alt text alt text alt text alt text

tryhackme ctf
This post is licensed under CC BY 4.0 by the author.

Trending Tags

ctf tryhackme