Instructions
This is the most wonderful time of the year, but not for Santa’s incident response team. Since Santa went digital, everyone can write a letter to him using his brand new website. Apparently an APT group hacked their way in to Santa’s server and destroyed his present list. Could you investigate what happened?
Solution
Browsing through the pcap we can see some http traffic to the host named christmaswishlist with the address 192.168.1.11.
In the second POST request the attacker drops a PHP web shell onto the web server.
The attacker then uses this to perform some recon on the machine including listing users, groups, and files. In the last request they remove the database at .ht.sqlite and echo the base64 encoded flag.
HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n}