277 words
1 minute
Arctic Howl - Week 4 Trusted Trouble
2026-04-02
Events
events
/
offsec
/
arctic-howl
/
season-2
/
week-4
/
insider-threat

Arctic Howl - Week 4 Trusted Trouble#

Quick Navigation#

README#

Week 4 - Trusted Trouble

WEEK 4 Trusted Trouble#

OffSec Arctic Howl MegacorpOne Insider Threat (PCAP Forensics)#

Challenge Overview#

FieldDetails
StatusCOMPLETED
CategoryPCAP Forensics Mail Forensics Insider Threat Analysis
DifficultyHard
EventArctic Howl: The Cascade Expanse Season 2
Score8 / 8

Scenario#

Megacorp One hired new employees and then detected suspicious data leakage. No obvious endpoint breakage was observed, but suspicious activity appeared across MAIL and CLIENT captures.

Files Provided: multi-folder PCAP dataset (MAIL, CLIENT5, CLIENT10, CLIENT12, CLIENT13)

Questions#

#Question
1How many people applied to work at MegacorpOne?
2Out of total applicants, whose application was accepted?
3What is the name of the hiring manager?
4Which employee had VPN issues?
5Which employee(s) were violating company policy?
6What public IP was used for exfiltration?
7What was exfiltrated (include sensitive data)?
8Which employee was the insider threat?

Key Skills#

  • Large PCAP triage and anomaly reduction
  • SMTP stream reconstruction and timeline correlation
  • Internal HTTP upload extraction from multipart POST data
  • 7z payload recovery and decryption workflow
  • SQLite artifact inspection for credential confirmation
  • Evidence-to-identity mapping in insider investigations

Key Findings#

QuestionAnswer
Q1 Applicants9
Q2 Acceptedfernanda.ribeiro, samuel.adu, min-jun.park
Q3 Hiring Managertatiana.petrov
Q4 VPN Issuesfernanda.ribeiro
Q5 Policy Violationsmin-jun.park, samuel.adu
Q6 Exfil Public IP203.98.112.47
Q7 Exfiltrated Datasensitive.db (SQLite) with Robin Schwartz / 5up3r5Tr0NgP@$$w0rd!
Q8 Insider Threatsamuel.adu

Attack Chain#

Mass applicant email workflow via SMTP (resume.pdf submissions)


Hiring manager sends onboarding instructions to accepted users


Client hostnames and VPN IP collection campaign


Insider-side traffic from CLIENT10 to external endpoint 203.98.112.47 (WireGuard)


Internal HTTP staging to 10.10.0.254 with multipart uploads (note1, note2, note3)


note2 leaks password hint: "Don't forget P@$$w0rd!"


note3 is actually encrypted 7z payload


Recovered sensitive.db (SQLite users table)


Exfiltrated credential confirmed: Robin Schwartz / 5up3r5Tr0NgP@$$w0rd!

Files#

FileDescription
INVESTIGATION_REPORT.mdFull forensic report, evidence chain, and validation commands

Tools Used#

Wireshark tshark Python 3 7-Zip SQLite3 PowerShell

Writeup completed: March 25, 2026 OffSec Arctic Howl Season 2 Score: 8/8 correct

Arctic Howl - Week 4 Trusted Trouble
https://ctf-writeups-webb.vercel.app/posts/events-season2-week4-trusted-trouble/
Author
Umair Aziz
Published at
2026-04-02
License
CC BY-NC-SA 4.0
Arctic Howl - Week 3 Cold Access
Echo Response - Week 1 ProtoVault Breach - Investigation Report
© 2026 Umair Aziz. All Rights Reserved.