PROBLEM
There has been some malware detected, can you help with the analysis? More info here. Connect with nc 2018shell1.picoctf.com 18874.
SOLUTION
Again this was also a manual task. You have to look for the values and give answer to the question.
First question:
How many attackers created the malware in this dataset?
I was able to brute force the first question:
import time
import socket
port = 18874
host = "2018shell1.picoctf.com"
for first_ans in range(0, 20):
print("Trying", first_ans)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error as err:
print("socket creation failed with error %s" % (err))
sock.connect((host, port))
ans = str(first_ans) + "\n"
res = sock.recv(500).decode('utf-8')
sock.send(ans.encode('utf-8'))
res = sock.recv(500).decode('utf-8')
res = res.split('\n')
print("CHECKING ----------> ", res)
if res[0] == "Correct!":
print("DONE!!", first_ans)
break
sock.close()
time.sleep(1.0)
The answer was - 5
Second question:
In the following sample of files from the larger dataset, which file was made by the same attacker who made the file 08da9228? Indicate your answer by entering that file's hash. hash jmp_count add_count 0 08da9228 23.0 44.0 1 8f7580a2 35.0 8.0 2 ebaf5ccd 8.0 18.0 3 abad7725 12.0 40.0 4 af481dc4 41.0 6.0 5 5818778b 23.0 63.0 6 ecff45ad 22.0 65.0 7 628e79cf 15.0 18.0 8 fa3b2106 35.0 28.0 9 e787f52e 37.0 29.0
Well in this one I just went by the books, took some time to read the plot and found out the answer was abad7725.
Flag - picoCTF{w4y_0ut_08631993}