You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/ctfwriteups/hgm.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -372,7 +372,7 @@ Decrypting Credential:
372
372
```
373
373
So the whole flag is: `idek{crEDential_4C3S5_f0R_1@73rAl_mOv3M3n7}`
374
374
375
-
## Part 3 -
375
+
## Part 3 - DNS Exfiltration and reconstruction
376
376
The previous flag can be used as a hint on how to move on, since we still have a big .pcap we have not touched upon and I already felt a bit lost at this point.
377
377
378
378
The flag from part 2 refers to `stealing credentials in order to do lateral movement`. We can also see that the second part of the flag was from a target domain with IP address `192.168.209.134`. Searching this IP address inside `Autopsy` as we previously did, we see logs related to RDP connection:
0 commit comments