RingZer0-199 - Capture 1 part 3
Malware Analysis
Capture 1 part 3
We need to retrieve the filename of the dropped php meterpreter.
If we look at the traffic with the following filter
tcp.port == 18888 && http
We know can find the backdoor code in the packet 70339.
From there we can look at the function that drops a meterpreter.
The meterpreter functions has 4 arguments, “t”, “i”, “p” and “pa”, we can then filter all the traffic to look at all the POST REQUESTS.
tcp.port == 18888 && http.request.method == "POST"
The POST request at 283529
has all of them so we can make the assumption that
it dropped a meterpreter.
We if go back and look at the following packets that follow the POST at 283529 we find some GET requests. It starts at 304321. We can see that the first three request for a php file replies back with a 404. The fourth one goes through.
The filename being SbOHtDQlsd.php
Flag is : SbOHtDQlsd.php