Fishy Http

Technical Walkthrough

Writeup

Challenge

• Name: Fishy-Http
• Category: Forensics
• Difficulty: Easy
• Mode: file

Summary

The provided PCAP and executable describe the same custom HTTP C2 flow. The executable is a .NET 8 bundled program; extracting its bundle manifest reveals a small MyProject.dll containing the encoder/decoder logic. Server responses hide commands in HTML tag names mapped to hex nibbles, while client feedback hides command output in first-letter acrostics that decode from base64. The two flag parts are split across those channels.

Artifact Inventory

• files/extracted/smphost.exe: Windows x64 .NET 8 self-contained executable.
• files/extracted/sustraffic.pcapng: captured HTTP traffic between the program and a web server.
• analysis/extracted-bundle/manifest.json: parsed .NET bundle manifest generated during analysis.
• analysis/extracted-bundle/MyProject.dll: recovered managed project assembly.

Analysis

The executable bundle manifest identifies 171 embedded files and exposes MyProject.dll. Managed user strings in that assembly include:

• a body extraction regex: <body>(.*?)</body>
• a tag extraction regex: <(\w+)[\s>]
• HexStringToBytes
• FromBase64String / ToBase64String
• submit_feedback

That points to two encodings:

• Server-to-client commands: selected HTML tags are converted to hex nibbles, then hex-decoded into command text.
• Client-to-server command output: feedback words are reduced to their first letters, then base64-decoded.

Decoding the captured HTTP streams produced four commands and four command outputs. The first flag fragment appeared in a decoded command as a file name beginning with the expected HTB{ prefix. The matching decoded feedback output contained the quoted second fragment and closing brace.

Solve

Run:

Forensics/Fishy-Http/.venv/bin/python Forensics/Fishy-Http/solve/solve.py

The solver:

1. Parses the .NET bundle manifest from smphost.exe.
2. Verifies MyProject.dll contains the expected decoder artifacts.
3. Rebuilds TCP streams from sustraffic.pcapng.
4. Decodes HTML-tag command traffic and feedback acrostic output traffic.
5. Combines both flag fragments and writes the result to loot/flag-candidate.txt.

The harness then captured the validated flag into loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For self-contained .NET executables, parse the appended bundle manifest instead of treating the large PE as opaque.
• In PCAP-based malware/C2 challenges, decode both directions. The command channel and output channel may use different encodings.
• Visible text acrostics were a false lead here; the meaningful server-to-client channel was encoded in HTML tag names.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Fishy-Http
• Category: Forensics
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-09T09:23:05Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Archive extracted with the standard HTB challenge archive convention. It contains smphost.exe and sustraffic.pcapng.
• smphost.exe is a .NET 8 self-contained/single-file Windows executable with a readable bundle manifest at offset 67506344.
• The bundle manifest exposes MyProject.dll at offset 9662464, size 15872, SHA256 <hash redacted>.
• MyProject.dll confirms two custom channels:

- HTTP response bodies encode commands by mapping selected HTML tags to hex nibbles.

- POST /submit_feedback bodies encode command output by using the first letter of each feedback word as base64.

• Decoding the response command channel recovered the first flag fragment as a filename in a type HTB{... command.
• Decoding the POST feedback channel recovered the second flag fragment in the corresponding command output.
• The reproducible solver writes the combined flag to loot/flag-candidate.txt; the harness captured it into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Forensics
• Challenge: Fishy-Http
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Forensics
• Challenge: Fishy-Http
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Fishy-Http
• Category: Forensics
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-09T09:23:05Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Archive extracted with the standard HTB challenge archive convention. It contains smphost.exe and sustraffic.pcapng.
• smphost.exe is a .NET 8 self-contained/single-file Windows executable with a readable bundle manifest at offset 67506344.
• The bundle manifest exposes MyProject.dll at offset 9662464, size 15872, SHA256 <hash redacted>.
• MyProject.dll confirms two custom channels:

- HTTP response bodies encode commands by mapping selected HTML tags to hex nibbles.

- POST /submit_feedback bodies encode command output by using the first letter of each feedback word as base64.

• Decoding the response command channel recovered the first flag fragment as a filename in a type <<secret redacted>>... command.
• Decoding the POST feedback channel recovered the second flag fragment in the corresponding command output.
• The reproducible solver writes the combined flag to loot/flag-candidate.txt; the harness captured it into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.