DownUnderCTF 2025 — Fishy Website (112 pts)

Overview

This challenge involved analyzing a phishing attack that distributed a malicious PowerShell script. Participants received a network capture file and needed to decrypt command-and-control communications to recover sensitive data.

Attack Chain

The challenge demonstrated a “paste n run” phishing attack:

1. Initial Compromise: A suspicious website prompted users to execute an encoded PowerShell script
2. Malware Delivery: The script established a reverse shell using fake TLS encryption
3. C2 Communication: The attacker sent commands through RC4-encrypted packets disguised as TLS records (0x17 0x03 0x03)

Technical Analysis

The obfuscated PowerShell payload contained:

• RC4 Encryption: A hardcoded 32-byte key for encrypting command communications
• Fake TLS Protocol: Custom implementation wrapping encrypted data in TLS record structures
• Command Execution: Remote code execution via Invoke-Expression
• Enumeration: Reconnaissance commands gathering system information and user data

Solution

1. Extract the TCP stream containing C2 traffic (stream 37)
2. Export raw TCP payload data
3. Decrypt RC4-encrypted records using the extracted key
4. Recover attacker commands and file exfiltration responses

The decrypted communications revealed an attacker exfiltrating a base64-encoded file: keys_backup.tar.gz. Decoding this archive yielded the flag.

Flag

DUCTF{1_gu355_y0u_c4n_d3cRyPT_TLS_tr4ff1c}