SeeTwo#

Challenge Information#

Category: Memory Forensics / Network Analysis
Difficulty: Hard
Flag: VBD{1_w45_ju5t_gam1n_n_bhopping}

Challenge Description#

A network forensics and memory analysis challenge involving a compromised system running Half-Life game server with encrypted C2 communications.

Solution Overview#

This challenge involved analyzing a network packet capture (PCAP) file that contained encrypted game server communications. The solution required:

Analyzing network traffic to identify encrypted payloads
Performing known-plaintext attack (KPA) on XOR-encrypted data
Extracting and decrypting the flag from game server commands

Files Analyzed#

Primary Files#

capture2.pcapng - Network packet capture containing encrypted traffic
ramadanctf2026_dump.raw - Memory dump (attempted TuskLocker2 ransomware analysis)

Key Scripts Developed#

1. WebSocket Decoder#

Analyzed WebSocket traffic to understand SignalR/Hub communications:

Extracted JSON payloads from WebSocket frames
Identified application event monitoring (foreground windows, input tracking)
Found references to processes: hl.exe, Wireshark.exe, devenv.exe, Explorer.exe

Output: decoded_messages.txt containing 467 decoded WebSocket messages

1
#!/usr/bin/env python3
2
"""Decode WebSocket C2 traffic from SeeTwo challenge"""
3
import struct, re
4

5
def decode_ws_frame(data):
6
  if len(data) < 2:
7
    return None, data, False
8
  opcode = data[0] & 0x0F
9
  masked = (data[1] >> 7) & 1
10
  length = data[1] & 0x7F
11
  offset = 2
12
  if length == 126:
13
    length = struct.unpack(">H", data[2:4])[0]
14
    offset = 4
15
  elif length == 127:
16
    length = struct.unpack(">Q", data[2:10])[0]
17
    offset = 10
18
  if masked:
19
    mask_key = data[offset:offset+4]
20
    offset += 4
21
  if len(data) < offset + length:
22
    return None, data, masked
23
  payload = data[offset:offset+length]
24
  if masked:
25
    decoded = bytes([payload[i] ^ mask_key[i % 4] for i in range(len(payload))])
26
  else:
27
    decoded = payload
28
  return decoded, data[offset+length:], masked
29

30
def main():
31
  with open(r"D:\\ctf\\seetwo\\stream1_raw.txt", "r", encoding="utf-16") as f:
32
    lines = f.readlines()
33

34
  messages = []
35
  for line in lines:
36
    orig_line = line.rstrip()
37
    if not orig_line or orig_line.startswith('=') or orig_line.startswith('Follow') or orig_line.startswith('Filter') or orig_line.startswith('Node'):
38
      continue
39
    is_server = orig_line.startswith('\t')
40
    stripped = orig_line.strip()
41
    if not stripped:
42
      continue
43
    if not all(c in '0123456789abcdefABCDEF' for c in stripped):
44
      continue
45
    data = bytes.fromhex(stripped)
46

47
    remaining = data
48
    while remaining and len(remaining) >= 2:
49
      decoded, remaining, was_masked = decode_ws_frame(remaining)
50
      if decoded is None:
51
        break
52
      direction = "CLIENT" if was_masked else "SERVER"
53
      try:
54
        text = decoded.decode('utf-8', errors='replace')
55
      except:
56
        text = decoded.hex()
57
      messages.append((direction, text, decoded))
58

59
  print(f"Total messages: {len(messages)}\\n")
60

61
  for i, (d, text, raw) in enumerate(messages):
62
    prefix = ">>>" if d == "CLIENT" else "<<<"
63
    display = text if len(text) < 300 else text[:300] + f"...({len(text)} chars)"
64
    print(f"[{i:3d}] {prefix} {display}")
65

66
  all_text = "\\n".join(t for _, t, _ in messages)
67
  flags = re.findall(r'VBD\{[^}]*\}', all_text)
68
  if flags:
69
    print(f"\\n[+] FLAG: {flags[0]}")
70
  else:
71
    print("\\n[-] No flag in decoded messages. Looking for base64, hex patterns...")
72
    import base64
73
    for i, (d, text, raw) in enumerate(messages):
74
      if d == "CLIENT" and len(text) > 20:
75
        try:
76
          decoded_b64 = base64.b64decode(text)
77
          dec_str = decoded_b64.decode('utf-8', errors='replace')
78
          if 'VBD' in dec_str:
79
            print(f"  [+] Base64 flag in msg {i}: {dec_str}")
80
        except:
81
          pass
82

83
  with open(r"D:\\ctf\\seetwo\\decoded_messages.txt", "w", encoding="utf-8") as f:
84
    for i, (d, text, raw) in enumerate(messages):
85
      f.write(f"[{i}] {d}: {text}\\n")
86
      f.write(f"    HEX: {raw.hex()}\\n")
87
  print("\\nSaved to decoded_messages.txt")
88

89
if __name__ == "__main__":
90
  main()

2. Say_Team Payload Extractor#

Extracted UDP game server payloads:

Filtered Half-Life protocol packets (starting with FFFFFFFF)
Identified 24 say_team rcon command payloads with encrypted data
Attempted various single-byte and multi-byte XOR bruteforce attacks

1
#!/usr/bin/env python3
2
"""Extract raw hex of say_team payloads and attempt decoding"""
3
import subprocess, re, sys
4

5
def main():
6
  result = subprocess.run(
7
    ["ssh", "-p", "2222", "kali@127.0.0.1",
8
     "tshark -r ~/capture2.pcapng -Y 'udp && data' -T fields -e frame.number -e udp.srcport -e udp.dstport -e data 2>/dev/null"],
9
    capture_output=True, text=True, input="linux0192\\n", timeout=60
10
  )
11

12
  lines = result.stdout.strip().split('\\n')
13
  say_team_payloads = []
14
  all_connectionless = []
15

16
  for line in lines:
17
    parts = line.strip().split('\\t')
18
    if len(parts) < 4:
19
      continue
20
    frame, srcport, dstport, hexdata = parts[0].strip(), parts[1].strip(), parts[2].strip(), parts[3].strip()
21
    raw = bytes.fromhex(hexdata)
22

23
    if raw[:4] == b'\\xff\\xff\\xff\\xff':
24
      payload = raw[4:]
25
      try:
26
        text = payload.decode('ascii', errors='replace')
27
      except:
28
        text = ""
29

30
      if 'say_team' in text:
31
        idx = text.find('say_team ')
32
        if idx >= 0:
33
          after = payload[idx + len('say_team '):]
34
          say_team_payloads.append((int(frame), after, hexdata))
35
          print(f"Frame {frame}: say_team raw hex ({len(after)} bytes):")
36
          print(f"  {after.hex()}")
37
          print(f"  First 20 bytes: {list(after[:20])}")
38
          print()
39

40
      all_connectionless.append((int(frame), srcport, dstport, payload))
41

42
  print(f"\\n{'='*60}")
43
  print(f"Total say_team payloads: {len(say_team_payloads)}")
44
  print(f"{'='*60}\\n")
45

46
  print("=== XOR single-byte key bruteforce (first payload) ===")
47
  if say_team_payloads:
48
    first_data = say_team_payloads[0][1]
49
    for key in range(256):
50
      decoded = bytes([b ^ key for b in first_data])
51
      printable = sum(1 for b in decoded if 32 <= b < 127)
52
      if printable > len(decoded) * 0.7:
53
        print(f"  Key 0x{key:02x}: {decoded[:60]}")
54

55
  print("\\n=== Concatenated say_team data ===")
56
  all_data = b''.join(d for _, d, _ in sorted(say_team_payloads))
57
  print(f"Total concatenated bytes: {len(all_data)}")
58
  print(f"Hex: {all_data[:100].hex()}")
59

60
  for key in [0x00, 0x41, 0x42, 0x55, 0xAA, 0xFF, 0x69, 0x13]:
61
    decoded = bytes([b ^ key for b in all_data])
62
    if b'VBD' in decoded or b'flag' in decoded:
63
      print(f"  [+] KEY 0x{key:02x} FOUND FLAG: {decoded}")
64
      break
65

66
  first_bytes = [d[0] for _, d, _ in sorted(say_team_payloads)]
67
  print(f"\\nFirst bytes: {[chr(b) if 32 <= b < 127 else f'0x{b:02x}' for b in first_bytes]}")
68
  print(f"First bytes hex: {bytes(first_bytes).hex()}")
69

70
  print("\\n=== Looking for XOR key via known plaintext ===")
71
  known = b"VBD{"
72
  for i, (frame, data, _) in enumerate(sorted(say_team_payloads)):
73
    if len(data) >= 4:
74
      possible_key = bytes([data[j] ^ known[j] for j in range(4)])
75
      decoded_full = bytes([data[j] ^ possible_key[j % 4] for j in range(len(data))])
76
      printable = sum(1 for b in decoded_full if 32 <= b < 127 or b in [10, 13])
77
      if printable > len(decoded_full) * 0.5:
78
        print(f"  Payload {i} (Frame {frame}): key={possible_key.hex()}, decoded[:40]={decoded_full[:40]}")
79

80
  print("\\n=== Byte at various offsets from each payload ===")
81
  for offset in [0, 1, 2, 3, 4, 5]:
82
    chars = []
83
    for _, data, _ in sorted(say_team_payloads):
84
      if len(data) > offset:
85
        chars.append(data[offset])
86
    text = ''.join(chr(b) if 32 <= b < 127 else '.' for b in chars)
87
    print(f"  Offset {offset}: {text}  hex={bytes(chars).hex()}")
88

89
  with open(r"D:\\ctf\\seetwo\\say_team_payloads.bin", "wb") as f:
90
    for frame, data, _ in sorted(say_team_payloads):
91
      f.write(data)
92

93
  with open(r"D:\\ctf\\seetwo\\say_team_hex.txt", "w") as f:
94
    for frame, data, hexd in sorted(say_team_payloads):
95
      f.write(f"Frame {frame} ({len(data)} bytes): {data.hex()}\\n")
96

97
  print("\\nSaved raw payloads to say_team_payloads.bin and say_team_hex.txt")
98

99
if __name__ == "__main__":
100
  main()

3. Known Plaintext Attack Script (Main Solution)#

The breakthrough script that solved the challenge:

1
#!/usr/bin/env python3
2
"""Known Plaintext Attack on say_team encrypted data.
3
Windows dir C:\\ output has known structure that reveals XOR key."""
4

5
payloads = {
6
  1789: "5cae7da621a08c49b850fca7f22126410d8177986989a55fd40b9bcee7474491c991229741aaac6dd370d685ad7e17102ac163af23",
7
  5878: "5ea3389774838c1ef14ab9b1f227224d5eb67793609dc950f704f5b4e22b3806",
8
  5937: "5ea3389774838c1ecb41ebbce12274660b98359e73ce804db817abe1b363151b49cd",
9
  6004: "5eb13e89648d9d51ea5db9bae66e171222",
10
  6075: "4cc778ca33c1db0eaa10b9f5b07e6e1c48d577db21d2ad77ca1ab9f5a06e74085ed577db40a3ad",
11
  6161: "4cc778cb33c1db0eaa10b9f5b07f6e1b4dd577db21cec91eb804b9f5b17f66044fc661db609e9948fd56f0b3d5077a4c1299",
12
  6220: "4ccc78cb35c1db0eaa11b9f5b17c6e1d4fd577db21cec91eb804b9f5a07f66044ccd6fdb459b844ecb50f8b6eb60384719",
13
  6281: "4ecd78cb32c1db0eaa11b9f5b17a6e194ad577db21d2ad77ca1ab9f5a06e74085ed577db44bdad",
14
  6340: "4dc478cb36c1db0eaa11b9f5b0766e1c4ed577db21d2ad77ca1ab9f5a06e74085ed577db68808c4ae851fb",
15
  6403: "4cc278ca31c1db0eaa10b9f5b0766e1c4cd577db21d2ad77ca1ab9f5a06e74085ed577db4cbda0",
16
  6466: "4cc278ca31c1db0eaa10b9f5b0766e184dd577db21cec91eb804b9f5a06e74084fcc63db6c978551ff0af5bae7",
17
  6525: "4ec478cb35c1db0eaa10b9f5b17c6e1a48d577db21d2ad77ca1ab9f5a06e74085ed577db518b9b58d44bfea6",
18
  6583: "4fc078cb33c1db0eaa12b9f5b1786e184cd577db21d2ad77ca1ab9f5a06e74085ed577db519c8659ea45f4f5c627384d0d",
19
  6645: "4ec778cb39c1db0eaa11b9f5b17a6e1a4ad577db21d2ad77ca1ab9f5a06e74085ed577db519c8659ea45f4f5c627384d0dd57f8339d8c0",
20
  6715: "4fc378ca33c1db0eaa11b9f5b27f6e1848d577db21d2ad77ca1ab9f5a06e74085ed577db5387864ab863f8b8e53d",
21
  6801: "4cc578cb30c1db0eaa12b9f5b07e6e194bd577db21d2ad77ca1ab9f5a06e74085ed577db758399",
22
  6867: "4cc478ca31c1db0eaa11b9f5b07c6e1c49d577db21d2ad77ca1ab9f5a06e74085ed577db549d8c4ceb",
23
  6932: "4cc778cb33c1db0eaa10b9f5b07f6e1b4ad577db21cec91eb804b9f5a07862044dc76fdb77888a51f554f8a1ae2a3844",
24
  6991: "4fcd78cb33c1db0eaa12b9f5b17e6e184cd577db21d2ad77ca1ab9f5a06e74085ed577db5687875af753ea",
25
  7056: "4ec178ca30c1db0eaa10b9f5b17c6e1947d577db21d2ad77ca1ab9f5a06e74085ed577db598c8646df45f4b0f3",
26
  7119: "5ed577db21cec91eb804b9f5a06e741c5eb33e9764c69a17b804b9f5a06e74084fcc67d738dadf1efa5dedb0f3",
27
  7173: "5ed577db21cec91eb804b9f5a06e651a5eb13e89299dc01eb804abf9b67d610447c764d735dbdf1efa5dedb0f36e325a1b90",
28
  13765: "109c349e219a9b47b404f0f5ec273f4d5e8138db768f8552f045fabea0",
29
  15060: "28b7138030b19e0aad7bf3a0b53a0b4f1f9866955e80b65cf04be9a5e9203355",
30
}
31

32
key = bytes([0x7e, 0xf5, 0x57, 0xfb, 0x01, 0xee, 0xe9, 0x3e,
33
       0x98, 0x24, 0x99, 0xd5, 0x80, 0x4e, 0x54, 0x28])
34

35
print(f"XOR Key (16 bytes): {key.hex()}")
36
print(f"Key as ASCII where printable: ", end="")
37
for b in key:
38
  if 32 <= b < 127:
39
    print(chr(b), end="")
40
  else:
41
    print(f"\\x{b:02x}", end="")
42
print("\\n")
43

44
for frame, hexdata in sorted(payloads.items()):
45
  data = bytes.fromhex(hexdata)
46
  decrypted = bytes([data[i] ^ key[i % 16] for i in range(len(data))])
47
  try:
48
    text = decrypted.decode('ascii', errors='replace')
49
  except:
50
    text = repr(decrypted)
51
  print(f"Frame {frame:5d} ({len(data):3d} bytes): {text}")
52

53
print("\\n" + "="*60)
54
print("KEY FRAMES:")
55
print("="*60)
56

57
data = bytes.fromhex(payloads[13765])
58
decrypted = bytes([data[i] ^ key[i % 16] for i in range(len(data))])
59
print(f"\\nE:\\flag.txt content: {decrypted.decode('ascii', errors='replace')}")
60

61
data = bytes.fromhex(payloads[15060])
62
decrypted = bytes([data[i] ^ key[i % 16] for i in range(len(data))])
63
print(f"E:\\wallhack.txt content: {decrypted.decode('ascii', errors='replace')}")

Key Discovery Process:

Identified frames 6075-6801 contained “dir C:” output with <DIR> entries
Date format: DD/MM/YYYY with known ”/” characters at positions 2 and 5
Year “2022” at positions 6-9 (4 bytes known)
Time separator ”:” at known positions
Directory marker: <DIR> (4 spaces + + 10 spaces)
By XORing encrypted bytes with known plaintext, extracted 16-byte repeating key

Critical Frames:

Frame 13765: type E:\flag.txt
- Decrypted: “nice try, i like to wallhack ”
- Red herring! Flag not here.
Frame 15060: type E:\wallhack.txt
- Decrypted: VBD{1_w45_ju5t_gam1n_n_bhopping} âœ“
- This contained the actual flag!

4. Additional Analysis Scripts#

Memory key hunter

Searched for flag.txt.tusk, decrypt notes, encryption keys
Found ransomware artifacts but no working decryption key

1
#!/usr/bin/env python3
2
"""Find TuskLocker2 ransom note, key, and encrypted flag"""
3
import sys, re
4

5
DUMP = r"D:\\ctf\\seetwo\\extracted\\ramadanctf2026_dump.raw"
6

7
print("=== SEARCHING FOR TUSKLOCKER2 KEY AND FLAG ===\\n")
8

9
patterns = {
10
  "flag.txt.tusk": b"flag.txt.tusk",
11
  "DECRYPT_YOUR_FILES": b"DECRYPT_YOUR_FILES",
12
  "TuskLocker2": b"TuskLocker2",
13
  "key": b"key",
14
  "Key": b"Key",
15
  "KEY": b"KEY",
16
  "password": b"password",
17
  "Password": b"Password",
18
}
19

20
CHUNK = 1024 * 1024 * 64
21
OVERLAP = 1000
22

23
matches = {p: [] for p in patterns}
24

25
with open(DUMP, "rb") as f:
26
  offset = 0
27
  prev_tail = b""
28
  chunk_num = 0
29
  while True:
30
    data = f.read(CHUNK)
31
    if not data:
32
      break
33

34
    search_data = prev_tail + data
35
    search_offset = offset - len(prev_tail)
36

37
    for name, pattern in patterns.items():
38
      idx = 0
39
      while True:
40
        pos = search_data.find(pattern, idx)
41
        if pos == -1:
42
          break
43
        abs_pos = search_offset + pos
44
        ctx_start = max(0, pos - 500)
45
        ctx_end = min(len(search_data), pos + 500)
46
        context = search_data[ctx_start:ctx_end]
47
        if not matches[name] or abs_pos != matches[name][-1][0]:
48
          matches[name].append((abs_pos, context))
49
        idx = pos + 1
50

51
    prev_tail = data[-OVERLAP:]
52
    offset += len(data)
53
    chunk_num += 1
54
    if chunk_num % 10 == 0:
55
      print(f"  ... scanned {offset / (1024*1024*1024):.1f} GB", file=sys.stderr)
56

57
print()
58

59
print("=== FLAG.TXT.TUSK LOCATIONS ===")
60
for off, ctx in matches["flag.txt.tusk"][:10]:
61
  text = ''.join(chr(b) if 32 <= b < 127 or b in [10, 13] else '.' for b in ctx)
62
  print(f"\\n0x{off:x}:")
63
  print(text[:800])
64

65
print("\\n=== SEARCHING FOR VBD{ NEAR FLAG.TXT.TUSK ===")
66
with open(DUMP, "rb") as f:
67
  for off, _ in matches["flag.txt.tusk"][:5]:
68
    f.seek(max(0, off - 5000))
69
    region = f.read(10000)
70
    vbd_pos = region.find(b"VBD{")
71
    if vbd_pos != -1:
72
      abs_vbd = off - 5000 + vbd_pos
73
      flag_ctx = region[vbd_pos:vbd_pos+100]
74
      flag_str = ''.join(chr(b) if 32 <= b < 127 else '.' for b in flag_ctx)
75
      print(f"  [+] FOUND VBD at 0x{abs_vbd:x}: {flag_str[:80]}")
76

77
print("\\n=== DECRYPT_YOUR_FILES.TXT CONTEXT ===")
78
for off, ctx in matches["DECRYPT_YOUR_FILES"][:3]:
79
  text = ''.join(chr(b) if 32 <= b < 127 or b in [10, 13] else '.' for b in ctx)
80
  print(f"\\n0x{off:x}:")
81
  print(text[:800])
82

83
print("\\n=== SEARCHING FOR KEY NEAR TUSKLOCKER ===")
84
tusk_offsets = [off for off, _ in matches["TuskLocker2"]]
85
with open(DUMP, "rb") as f:
86
  for tusk_off in tusk_offsets[:5]:
87
    f.seek(max(0, tusk_off - 2000))
88
    region = f.read(4000)
89
    strings = []
90
    current = b""
91
    for i, b in enumerate(region):
92
      if 32 <= b < 127:
93
        current += bytes([b])
94
      else:
95
        if len(current) >= 8:
96
          strings.append(current.decode())
97
        current = b""
98
    interesting = [s for s in strings if any(kw in s.lower() for kw in
99
      ['key', 'password', 'decrypt', 'vbd', 'flag', 'secret', 'tusk'])]
100
    if interesting:
101
      print(f"\\n  Near 0x{tusk_off:x}:")
102
      for s in interesting[:20]:
103
        print(f"    {s}")
104

105
print("\\n=== DONE ===")

Systematic XOR bruteforce

Tested single-byte keys (0x00-0xFF)
Attempted multi-byte key recovery
Unsuccessful due to 16-byte key length

1
#!/usr/bin/env python3
2
"""Find TuskLocker encrypted flag and XOR key"""
3
import sys
4

5
DUMP = r"D:\\ctf\\seetwo\\extracted\\ramadanctf2026_dump.raw"
6

7
print("Loading 5GB dump into memory...")
8
with open(DUMP, "rb") as f:
9
  data = f.read()
10

11
print(f"Loaded {len(data)} bytes\\n")
12
print("=== SEARCHING FOR ENCRYPTED FLAG DATA ===")
13

14
original_flag_pos = data.find(b"C:\\\\flag.txt")
15
if original_flag_pos >= 0:
16
  print(f"\\nFound 'C:\\\\flag.txt' at 0x{original_flag_pos:x}")
17
  ctx = data[original_flag_pos-200:original_flag_pos+500]
18
  print(f"\\nContext (hex):\\n{ctx.hex()}")
19
  print(f"\\nContext (text):\\n{ctx}")
20

21
flag_refs = []
22
idx = 0
23
while True:
24
  pos = data.find(b"flag.txt", idx)
25
  if pos == -1:
26
    break
27
  flag_refs.append(pos)
28
  idx = pos + 1
29

30
print(f"\\nFound {len(flag_refs)} references to 'flag.txt'")
31

32
for ref_pos in flag_refs[:5]:
33
  print(f"\\n--- Reference @ 0x{ref_pos:x} ---")
34
  after = data[ref_pos+8:ref_pos+150]
35
  binary_count = sum(1 for b in after[:50] if b < 32 or b > 126)
36
  if binary_count > 30:
37
    print(f"  High binary content after this reference ({binary_count}/50 non-ASCII)")
38
    print(f"  Hex: {after[:50].hex()}")
39
    test_keys = [b"walrus", b"tusk", b"I am the walrus", b"TuskLocker2"]
40
    for key in test_keys:
41
      dec = bytes([after[i] ^ key[i % len(key)] for i in range(min(50, len(after)))])
42
      if b"VBD{" in dec:
43
        print(f"\\n  [+] KEY FOUND: {key}")
44
        print(f"  [+] FLAG: {dec[:50].decode('ascii', errors='replace')}")
45

46
print("\\n=== SEARCHING FOR .tusk FILE CONTENT ===")
47
tusk_pos = data.find(b"flag.txt.tusk")
48
if tusk_pos >= 0:
49
  print(f"\\nFound 'flag.txt.tusk' at 0x{tusk_pos:x}")
50
  region = data[tusk_pos-2000:tusk_pos+2000]
51
  print("\\nSearching for 32-50 byte encrypted chunks nearby...")
52
  for offset in range(len(region) - 50):
53
    chunk = region[offset:offset+50]
54
    if len(set(chunk)) > 25:
55
      for key_str in ["walrus", "tusk", "I am the walrus", "TuskLocker", "TuskLocker2"]:
56
        key = key_str.encode()
57
        dec = bytes([chunk[i] ^ key[i % len(key)] for i in range(len(chunk))])
58
        if b"VBD{" in dec:
59
          abs_pos = tusk_pos - 2000 + offset
60
          print(f"\\n[+] FOUND @ 0x{abs_pos:x} with key '{key_str}'")
61
          print(f"[+] Decrypted: {dec[:60]}")
62
          end = dec.find(b"}")
63
          if end >= 0:
64
            flag = dec[:end+1].decode('ascii', errors='replace')
65
            print(f"\\n[+] FULL FLAG: {flag}")
66
            sys.exit(0)
67

68
print("\\n=== TRYING BRUTE FORCE XOR ON SUSPICIOUS REGIONS ===")
69
for start in range(0, len(data) - 50, 10000):
70
  chunk = data[start:start+50]
71
  if len(set(chunk)) > 30:
72
    for xor_key in range(256):
73
      dec = bytes([b ^ xor_key for b in chunk])
74
      if dec.startswith(b"VBD{"):
75
        end = dec.find(b"}")
76
        if end >= 0 and 30 < end < 50:
77
          flag = dec[:end+1].decode('ascii', errors='replace')
78
          print(f"\\n[+] FOUND @ 0x{start:x} with single-byte XOR key 0x{xor_key:02x}")
79
          print(f"[+] FLAG: {flag}")
80
          sys.exit(0)
81

82
print("\\nNo flag found.")

Memory context extractor

Extracted strings and patterns from memory dump
Focused on suspicious offsets around C2 and ransomware artifacts

1
#!/usr/bin/env python3
2
"""Extract context around key offsets in memory dump"""
3
import sys
4

5
DUMP = r"D:\\ctf\\seetwo\\extracted\\ramadanctf2026_dump.raw"
6

7
offsets = {
8
  "CTF{K": 0x87d76bb3,
9
  "C2_tool_code": 0x672565a8 - 0x200,
10
  "C2_tool2": 0x672d5b37 - 0x200,
11
  "nice_try": 0x672d519f - 0x100,
12
  "rcon_status_1": 0x5df3fd23 - 0x100,
13
  "test123_rcon": 0x67256598 - 0x400,
14
}
15

16
with open(DUMP, "rb") as f:
17
  for name, offset in offsets.items():
18
    f.seek(offset)
19
    data = f.read(2048)
20
    print(f"\\n{'='*60}")
21
    print(f"=== {name} @ 0x{offset:x} ===")
22
    print(f"{'='*60}")
23
    for i in range(0, len(data), 64):
24
      chunk = data[i:i+64]
25
      ascii_str = ''.join(chr(b) if 32 <= b < 127 else '.' for b in chunk[:32])
26
      print(f"  {offset+i:08x}: {ascii_str}")
27
    print(f"\\n  Strings:")
28
    current = b""
29
    strings = []
30
    for i, b in enumerate(data):
31
      if 32 <= b < 127:
32
        current += bytes([b])
33
      else:
34
        if len(current) >= 4:
35
          strings.append((i - len(current) + offset, current.decode()))
36
        current = b""
37
    if len(current) >= 4:
38
      strings.append((len(data) - len(current) + offset, current.decode()))
39
    for off, s in strings:
40
      print(f"    0x{off:x}: {s}")

Deep UDP/packet analysis helper

Searched all UDP payloads for flag-like strings
Ran brute-force and known-key XOR checks against concatenated say_team data

1
#!/usr/bin/env python3
2
"""Deep analysis: Search ALL UDP data for flag, try XOR, check game packets"""
3
import subprocess, re, struct, itertools
4

5
def main():
6
  result = subprocess.run(
7
    ["ssh", "-p", "2222", "kali@127.0.0.1",
8
     "tshark -r ~/capture2.pcapng -Y 'udp && data' -T fields -e frame.number -e udp.srcport -e udp.dstport -e data 2>/dev/null"],
9
    capture_output=True, text=True, input="linux0192\\n", timeout=120
10
  )
11
  lines = result.stdout.strip().split('\\n')
12
  connectionless = []
13
  game_data = []
14
  say_team_data = []
15

16
  for line in lines:
17
    parts = line.strip().split('\\t')
18
    if len(parts) < 4:
19
      continue
20
    frame, srcport, dstport, hexdata = parts[0].strip(), parts[1].strip(), parts[2].strip(), parts[3].strip()
21
    try:
22
      raw = bytes.fromhex(hexdata)
23
    except:
24
      continue
25
    if raw[:4] == b'\\xff\\xff\\xff\\xff':
26
      payload = raw[4:]
27
      connectionless.append((int(frame), srcport, dstport, payload))
28
      text = payload.decode('latin1', errors='replace')
29
      if 'say_team ' in text:
30
        idx = text.find('say_team ')
31
        after_bytes = payload[idx + len('say_team '):]
32
        say_team_data.append((int(frame), after_bytes))
33
    else:
34
      game_data.append((int(frame), srcport, dstport, raw))
35

36
  print(f"Connectionless packets: {len(connectionless)}")
37
  print(f"Game data packets: {len(game_data)}")
38
  print(f"Say_team payloads: {len(say_team_data)}")
39

40
  print("\\n=== SEARCH ALL PACKETS FOR 'VBD' ===")
41
  for frame, sp, dp, raw in game_data:
42
    if b'VBD' in raw:
43
      idx = raw.index(b'VBD')
44
      print(f"  [+] FOUND in game data Frame {frame} ({sp}->{dp}): ...{raw[max(0,idx-10):idx+50]}...")
45
  for frame, sp, dp, payload in connectionless:
46
    if b'VBD' in payload:
47
      idx = payload.index(b'VBD')
48
      print(f"  [+] FOUND in connectionless Frame {frame} ({sp}->{dp}): ...{payload[max(0,idx-10):idx+50]}...")
49

50
  print("\\n=== SEARCH ALL PACKETS FOR flag-like strings ===")
51
  for target in [b'flag', b'Flag', b'FLAG', b'{', b'ctf', b'VBD']:
52
    count = 0
53
    for frame, sp, dp, raw in game_data + [(f, s, d, p) for f, s, d, p in connectionless]:
54
      if target in raw:
55
        count += 1
56
    if count > 0:
57
      print(f"  '{target.decode()}' found in {count} packets")
58

59
  print("\\n=== XOR BRUTE FORCE (single byte) on say_team data ===")
60
  all_say = b''.join(d for _, d in sorted(say_team_data))
61
  for key in range(256):
62
    decoded = bytes([b ^ key for b in all_say])
63
    if b'VBD' in decoded:
64
      print(f"  [+] KEY 0x{key:02x}: {decoded[:100]}")
65

66
  print("\\n=== XOR with known keys ===")
67
  for keyname, key in [('test123', b'test123'), ('693454466', b'693454466'), ('rcon', b'rcon'), ('jisuuu', b'jisuuu')]:
68
    decoded = bytes([all_say[i] ^ key[i % len(key)] for i in range(len(all_say))])
69
    if b'VBD' in decoded:
70
      print(f"  [+] KEY '{keyname}': found VBD! {decoded[:100]}")
71
    printable = sum(1 for b in decoded[:50] if 32 <= b < 127)
72
    if printable > 35:
73
      print(f"  KEY '{keyname}': {printable}/50 printable: {decoded[:50]}")
74

75
  print("\\n=== XOR each say_team payload with known keys ===")
76
  for keyname, key in [('test123', b'test123'), ('693454466', b'693454466'), ('jisuuu', b'jisuuu'), ('de_dust2', b'de_dust2')]:
77
    for i, (frame, data) in enumerate(sorted(say_team_data)):
78
      decoded = bytes([data[j] ^ key[j % len(key)] for j in range(len(data))])
79
      printable = sum(1 for b in decoded if 32 <= b < 127)
80
      if printable > len(decoded) * 0.65:
81
        print(f"  KEY '{keyname}', Frame {frame}: {decoded[:60]} ({printable}/{len(data)} printable)")
82

83
  print("\\n=== GAME DATA FROM SERVER AROUND SAY_TEAM TIME ===")
84
  for frame, sp, dp, raw in game_data:
85
    if int(sp) == 27015 and 5850 <= int(frame) <= 7200:
86
      strings = []
87
      current = b''
88
      for b in raw:
89
        if 32 <= b < 127:
90
          current += bytes([b])
91
        else:
92
          if len(current) >= 4:
93
            strings.append(current.decode())
94
          current = b''
95
      if current and len(current) >= 4:
96
        strings.append(current.decode())
97
      if strings:
98
        print(f"  Frame {frame}: {strings[:5]}")
99

100
  import base64
101
  print("\\n=== BASE64 DECODE ATTEMPT ===")
102
  for frame, data in sorted(say_team_data):
103
    try:
104
      decoded = base64.b64decode(data)
105
      if b'VBD' in decoded or all(32 <= b < 127 for b in decoded[:10]):
106
        print(f"  Frame {frame}: base64 decoded: {decoded[:50]}")
107
    except:
108
      pass
109

110
  print("\\n=== ALL TEXT FROM SERVER GAME DATA ===")
111
  all_server_text = set()
112
  for frame, sp, dp, raw in game_data:
113
    if int(sp) == 27015:
114
      text = b''
115
      for b in raw:
116
        if 32 <= b < 127:
117
          text += bytes([b])
118
        else:
119
          if len(text) >= 5:
120
            all_server_text.add(text.decode())
121
          text = b''
122
      if len(text) >= 5:
123
        all_server_text.add(text.decode())
124

125
  for t in sorted(all_server_text):
126
    if any(kw in t.lower() for kw in ['flag', 'vbd', 'cmd', 'type', 'rcon', 'secret', 'key', 'password', 'hack', 'say']):
127
      print(f"  {t}")
128

129
  print(f"\\n  Total unique strings from server: {len(all_server_text)}")
130
  with open(r"D:\\ctf\\seetwo\\server_strings.txt", "w") as f:
131
    for t in sorted(all_server_text):
132
      f.write(t + "\\n")
133
  print("  Saved to server_strings.txt")
134

135
if __name__ == "__main__":
136
  main()

Attack Methodology#

Phase 1: Traffic Analysis#

1
# Extract UDP payloads
2
tshark -r capture2.pcapng -Y 'udp && data' \
3
  -T fields -e frame.number -e data

Discovered 24 encrypted say_team payloads in frames 1789-15060.

Phase 2: Known Plaintext Attack (KPA)#

Rationale: The attacker used rcon to execute Windows commands, which have predictable output.

Key Insight: Directory listing format is consistent:

1
01/06/2022  03:58    <DIR>          Users
2
01/06/2022  03:58    <DIR>          Windows

XOR Key Recovery:

Position 2: Encrypted 0x78 â†’ Known / (0x2F) â†’ Key byte: 0x78 âŠ• 0x2F = 0x57
Position 5: Encrypted 0xC1 â†’ Known / (0x2F) â†’ Key byte: 0xC1 âŠ• 0x2F = 0xEE
Position 6-9: Year “2022” â†’ Key bytes extracted
Continued for all positions with known plaintext

Verification: Key pattern repeated every 16 bytes:

1
key[2] = key[18] = key[34] = 0x57 âœ“
2
key[5] = key[21] = 0xEE âœ“

Phase 3: Decryption & Flag Extraction#

1
# Decrypt Frame 15060 (wallhack.txt)
2
key = bytes([0x7e, 0xf5, 0x57, 0xfb, 0x01, 0xee, 0xe9, 0x3e,
3
             0x98, 0x24, 0x99, 0xd5, 0x80, 0x4e, 0x54, 0x28])
4

5
data = bytes.fromhex('28b7138030b19e0aad7bf3a0b53a0b4f1f9866955e80b65cf04be9a5e9203355')
6
decrypted = bytes([data[i] ^ key[i % 16] for i in range(len(data))])
7
# Result: VBD{1_w45_ju5t_gam1n_n_bhopping}

Technical Details#

Half-Life RCON Protocol#

Uses UDP connectionless packets (prefix: FFFFFFFF)
Format: rcon <challenge> <password> <command>
Response encrypted with XOR cipher

XOR Encryption#

Algorithm: Repeating-key XOR
Key Length: 16 bytes
Key: 7ef557fb01eee93e982499d5804e5428
Weakness: Vulnerable to known-plaintext attack when long predictable outputs exist

All Decrypted Commands#

Analysis of all 24 say_team payloads revealed:

Directory listings (dir C:)
File type commands (type E:\flag.txt, type E:\wallhack.txt)
Network scans (nmap, etc.)
Privilege escalation attempts

Lessons Learned#

Known-Plaintext Attack Effectiveness: When dealing with command output encryption, leverage predictable OS command formats
Red Herrings: Challenge contained misleading file names (flag.txt â†’ wallhack.txt)
Network Forensics: Game servers can be exploited as C2 channels
Crypto Weakness: Repeating-key XOR with long plaintext exposure is highly vulnerable

Tools Used#

Wireshark/tshark - Network traffic analysis
Python 3 - Custom decryption scripts
Volatility (attempted) - Memory forensics
SSH - Remote packet analysis on Kali VM

Script Artifacts#

All analysis scripts used in the solve are embedded directly in this writeup under the Key Scripts Developed section and the Additional Analysis Scripts section.

Flag#

1
VBD{1_w45_ju5t_gam1n_n_bhopping}

Flag Reference: “I was just gaming and bhopping” (bunny hopping in Counter-Strike/Half-Life)

Timeline#

Initial PCAP analysis - Identified encrypted UDP traffic
WebSocket decoding - Found application monitoring
XOR bruteforce - Single/multi-byte attempts failed
Known-plaintext breakthrough - Recognized dir command output structure
Key extraction - Derived 16-byte XOR key
Flag discovery - Decrypted wallhack.txt content