If anyone reads this and can give me a nudge, I’d greatly appreciate it. Here’s what I’ve done so far:
- Built a C# library to mimic the shell code decryption algo
- Decrypted all of the packets (aside from a particular one response string that has padding errors)
- Found both fake flags
- Built a C# library to build out the temp file in the packets
I feel like I’ve combed through every piece of data in this pcap and I’m just missing something obvious. So, if anyone comes across this and I don’t have an update saying I solved it: please, for the love of my sanity, send help!