Thief

Technical Walkthrough

Writeup

Challenge

• Name: Thief
• Category: Misc
• Difficulty: Medium
• Mode: file

Summary

The capture contained a victim PowerShell session that downloaded and ran a PyInstaller executable named windowsupdate.exe against 1dub.png. The executable exfiltrated the file in 48 ICMP echo request chunks. Reversing the embedded Python 2.7 bytecode exposed the AES-CBC key, chunk padding, and ICMP metadata scheme. Rebuilding the chunk order and decrypting the payloads recovered the stolen PNG containing the flag.

Artifact Inventory

• files/a12c7350-80ac-4eb8-a7e9-ea96fff4fa07.zip: original HTB archive.
• files/extracted/misc_thief/challenge.pcap: packet capture containing the compromise and exfiltration.
• analysis/windowsupdate.exe: executable recovered from the HTTP transfer inside the PCAP.
• analysis/windowsupdate-manual-extracted/wixnvke: recovered Python 2.7 bytecode payload from the PyInstaller archive.
• loot/recovered/1dub.png: reconstructed stolen image containing the flag.

Analysis

Protocol triage showed the high-volume flow was mostly an HTTP transfer from <TARGET> to <TARGET>, plus ICMP traffic from the victim to <TARGET>. TCP stream reconstruction showed the victim ran windowsupdate.exe 1dub.png, then printed progress from 0 / 48 through 47 / 48 and a successful exfiltration message.

The HTTP body was saved as analysis/windowsupdate.exe. Manual PyInstaller extraction recovered a Python 2.7 code object, and analysis/xdis-disasm.txt showed the important behavior:

• split the input file into 256-byte chunks
• zero-pad each chunk to 256 bytes
• encrypt each chunk with AES-CBC using the embedded key string
• prepend a random IV and exfil-
• send the data through ICMP echo requests
• use ICMP id and seq as ordering metadata after a custom tree scramble

The 48 ICMP echo request payloads matched that scheme exactly. Reproducing the tree metadata mapping allowed the solver to ignore randomized send order, restore original chunk order, decrypt each chunk, and trim the PNG at IEND.

Solve

Run:

python3 solve/solve.py

The script parses challenge.pcap, extracts exfil- ICMP chunks, rebuilds the malware's ordering map, decrypts the AES-CBC chunks, and writes:

• loot/recovered/1dub-recovered-full.bin
• loot/recovered/1dub.png
• loot/flag-candidate.txt when local OCR is available

The flag candidate was passed through:

python3 scripts/challenge_harness.py capture-flag Misc/Thief --from loot/flag-candidate.txt

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Randomized packet send order did not matter because the malware preserved enough metadata in ICMP id and seq to reconstruct the original order.
• PCAP-first reconstruction was faster and more reliable than trying to guess from packet payload entropy alone.
• PyInstaller extraction can fail on false signatures; checking the real archive cookie near EOF and manually extracting the CArchive avoided that blocker.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Thief
• Category: Misc
• Difficulty: Medium
• Mode: file
• Remote instance: none
• Start time: 2026-06-13T03:40:31Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• challenge.pcap contains a PowerShell compromise session where windowsupdate.exe is downloaded and executed against 1dub.png.
• The executable was recovered from the HTTP stream and identified as a Python 2.7 PyInstaller payload.
• Recovered bytecode shows AES-CBC encryption, 256-byte zero-padded chunks, and ICMP echo request exfiltration with payload prefix exfil-.
• The PCAP contains 48 matching ICMP exfiltration chunks; ICMP id and seq encode the scrambled chunk ordering.
• solve/solve.py reconstructs the chunk order, decrypts the data, and rebuilds loot/recovered/1dub.png.
• The raw flag was captured through the harness and is stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Misc
• Challenge: Thief
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the PCAP from the HTB archive and reconstruct TCP streams.
2. Identify the downloaded Windows executable and the command that runs it against a local PNG.
3. Recover the executable from the HTTP stream and treat it as a PyInstaller payload.
4. When automated PyInstaller extraction hits a false MEI signature, locate the real CArchive cookie near EOF and manually extract the Python code object.
5. Disassemble the Python 2.7 bytecode to recover the exfiltration algorithm: 256-byte chunks, zero padding, AES-CBC, per-chunk IV, exfil- ICMP payload prefix, and chunk metadata in ICMP id and seq.
6. Parse ICMP echo requests, rebuild the malware's tree-order mapping, decrypt the chunks, concatenate them, and trim the recovered PNG at the IEND marker.
7. Read the flag from the recovered image and store the raw value only through the harness-controlled loot flow.

Reusable Lessons

• In PCAP malware challenges, recover transferred executables from streams and reverse them before guessing payload transforms.
• ICMP id and seq fields can encode exfiltration ordering metadata even when packet send order is randomized.
• Rebuild the malware's transformation exactly, then write a solver that reconstructs the artifact from the PCAP.

Dead Ends

• Direct string searches across the PCAP, encrypted ICMP payloads, and recovered PNG bytes do not reveal the flag.
• Simple concatenation orders such as time order, ICMP sequence order, or ICMP ID order do not directly produce the stolen file before reversing the malware's scramble mapping.

Tool Quirks

• pyinstxtractor-ng can lock onto a false MEI marker in a PyInstaller binary. Checking the real cookie near the end of the file and manually parsing the archive can recover the payload.
• The visible flag is rendered in a pixel font; OCR may confuse a digit one with lowercase i, so visual validation of the reconstructed PNG may still be needed.

Evidence Paths

• analysis/tcp-stream-summary.txt
• analysis/icmp-exfil-reconstruct-summary.txt
• analysis/pyinstaller-cookie-search.txt
• analysis/xdis-disasm.txt
• analysis/thief-reconstruction.md
• solve/solve.py
• loot/recovered/1dub.png
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches