> For the complete documentation index, see [llms.txt](https://ctf.smithsecurity.biz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2022/readme-1/forensics-automation.md). # Forensics - Automation For this challenge we started with a PCAP, or packet capture, file. Just from scrolling through briefly I noticed one http steam that seemed interesting. It was requesting a desktop.png file but this file was base64 encoded. I copied this text over to CyberChef and decoded it. ![](/files/KfoI4DYYkyRYR2YOCaJy) I edited the payload not to execute anything on my machine and started reading through. From what I read it was grabbing all the subdomains of a website through DNS and then decrypting the subdomain so if it received one like XYSEF.windowsliveupdater.com it would split it so XYSEF was left and then decrypt it, run it, and send the response back over DNS to the website. This was really cool and sneaky. ![](/files/nrVE1EAHLo2kwsCGLtO7) Looking back at the packet capture we can see where this happens and I grabbed all the subdomains it got and decrypted them using the script and got this: ![](/files/UdwY4PrJRlROxfvip0bE) If you base64 decode the user it adds on the second to last line you get the first part of the flag. That means we are going to have to dig a little deeper to find the second part and its probably in the responses being sent back. I grabbed each response, which were separated by a start.windowsliveupdater.com and an end.windowsliveupdater.com, and decrypted them one at a time until I got to the part two of the flag: ![](/files/lA8wCVWnQXA3XZt0DspA) Now we had the complete flag and I submitted it! PWNED!! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2022/readme-1/forensics-automation.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.