ContAInment

Posted 2026-04-15Medium Linux THM
THMLinuxMediumDFIRAI SecurityForensics
ContAInment

Initial Detection

The investigation began after internal monitoring systems flagged anomalous network activity originating from senior researcher Oliver Deer's workstation. Upon SSH access to the machine, a ransom note was discovered on the desktop.

</> bash
ssh o.deer@TARGET_IP
cat ~/Desktop/pwned.txt

The note, left by an attacker going by the alias rootedReaper, confirmed the full compromise of the system: sensitive defence project data had been exfiltrated and local files encrypted. The ransom note also included a taunt about West Tech's AI being used against itself.

PCAP Forensics

With evidence pointing to a recent attack, the next step was to inspect network captures stored on the machine.

</> bash
ls -la ~/Documents/pcap_dumps/2025-06-17/

Most dump files in the directory were 198 bytes — empty sessions with no real data. One file stood out: session_xxxx_dump.pcap weighed in at 2262 bytes, indicating an active data transfer or command session had been captured.

The suspicious port number (xxxx) further suggested a reverse shell or C2 connection.

Key Recovery

The anomalous PCAP file was reconstructed to extract the attacker's session in plaintext.

Using the pcap_file_reassembler tool provided by the AI assistant, the captured traffic was converted into a readable log:

reassembled_data_dump.txt

Reassembled data output

Within the attacker's notes, a critical string was identified: wesxxxxxxx — annotated by the attacker as their "leverage" to ensure ransom payment. This turned out to be the encryption password used to lock the stolen files.

Data Recovery

With the password in hand, the encrypted archive on Oliver Deer's home directory was unlocked:

</> bash
unzip -P wesxxxxxxx ~/westtech_projects_encrypted.zip

The archive contained engineering blueprints, prototype logs, and a technical guide (thm_flags_guide.txt) describing the final challenge left by the attacker.

Flag Extraction

The recovered thm_flags_guide.txt revealed that a file named thm_flags.txt contained 500 potential flags encoded in Base64. Only one was legitimate.

Selection criteria: The valid flag had to contain exactly 3 prime numbers among its decoded values.

The AI assistant's Liberty Prime tool was used to:

  1. Decode all 500 Base64 strings
  2. Parse the numerical values from each
  3. Apply the prime number filter

This isolated the definitive flag, confirming full containment of the threat.

Flag output

Flag captured 🏴