[{"data":1,"prerenderedAt":433},["ShallowReactive",2],{"search":3,"recent-machines":28,"machine-\u002Fmachines\u002Fthm-containment":35},[4,8,12,16,20,24],{"_path":5,"title":6,"image":7},"\u002Fmachines\u002Fhtb-boardlight","BoardLight","\u002Fimg\u002Fmachines\u002Fhtb-boardlight\u002Fcover.png",{"_path":9,"title":10,"image":11},"\u002Fmachines\u002Fhtb-headless","Headless","\u002Fimg\u002Fmachines\u002Fhtb-headless\u002Fcover.png",{"_path":13,"title":14,"image":15},"\u002Fmachines\u002Fhtb-usage","Usage","\u002Fimg\u002Fmachines\u002Fhtb-usage\u002Fcover.png",{"_path":17,"title":18,"image":19},"\u002Fmachines\u002Fthm-containment","ContAInment","\u002Fimg\u002Fmachines\u002Fthm-containment\u002Fcover.png",{"_path":21,"title":22,"image":23},"\u002Fprojects\u002Fmaddox","Maddox","\u002Fimg\u002Fprojects\u002Fmaddox\u002Fcover.png",{"_path":25,"title":26,"image":27},"\u002Fprojects\u002Fsentinel","Sentinel Password Manager","\u002Fimg\u002Fprojects\u002Fsentinel\u002Fcover.png",[29,31,33,34],{"_path":17,"title":18,"difficulty":30},"Medium",{"_path":13,"title":14,"difficulty":32},"Easy",{"_path":9,"title":10,"difficulty":32},{"_path":5,"title":6,"difficulty":32},{"_path":17,"_dir":36,"_draft":37,"_partial":37,"_locale":38,"title":18,"description":39,"difficulty":30,"platform":40,"os":41,"date":42,"image":19,"tags":43,"body":47,"_type":427,"_id":428,"_source":429,"_file":430,"_stem":431,"_extension":432},"machines",false,"","Medium difficulty IR challenge involving ransomware analysis, PCAP forensics, and AI-assisted flag recovery","THM","Linux","2026-04-15",[40,41,30,44,45,46],"DFIR","AI Security","Forensics",{"type":48,"children":49,"toc":420},"root",[50,59,73,116,128,134,139,165,192,197,203,208,220,228,237,257,263,268,298,311,317,344,361,373,393,398,406,414],{"type":51,"tag":52,"props":53,"children":55},"element","h2",{"id":54},"initial-detection",[56],{"type":57,"value":58},"text","Initial Detection",{"type":51,"tag":60,"props":61,"children":62},"p",{},[63,65,71],{"type":57,"value":64},"The investigation began after internal monitoring systems flagged anomalous network activity originating from senior researcher ",{"type":51,"tag":66,"props":67,"children":68},"strong",{},[69],{"type":57,"value":70},"Oliver Deer's",{"type":57,"value":72}," workstation. Upon SSH access to the machine, a ransom note was discovered on the desktop.",{"type":51,"tag":74,"props":75,"children":79},"pre",{"code":76,"language":77,"meta":38,"className":78,"style":38},"ssh o.deer@TARGET_IP\ncat ~\u002FDesktop\u002Fpwned.txt\n","bash","language-bash shiki shiki-themes github-dark",[80],{"type":51,"tag":81,"props":82,"children":83},"code",{"__ignoreMap":38},[84,102],{"type":51,"tag":85,"props":86,"children":89},"span",{"class":87,"line":88},"line",1,[90,96],{"type":51,"tag":85,"props":91,"children":93},{"style":92},"--shiki-default:#B392F0",[94],{"type":57,"value":95},"ssh",{"type":51,"tag":85,"props":97,"children":99},{"style":98},"--shiki-default:#9ECBFF",[100],{"type":57,"value":101}," o.deer@TARGET_IP\n",{"type":51,"tag":85,"props":103,"children":105},{"class":87,"line":104},2,[106,111],{"type":51,"tag":85,"props":107,"children":108},{"style":92},[109],{"type":57,"value":110},"cat",{"type":51,"tag":85,"props":112,"children":113},{"style":98},[114],{"type":57,"value":115}," ~\u002FDesktop\u002Fpwned.txt\n",{"type":51,"tag":60,"props":117,"children":118},{},[119,121,126],{"type":57,"value":120},"The note, left by an attacker going by the alias ",{"type":51,"tag":66,"props":122,"children":123},{},[124],{"type":57,"value":125},"rootedReaper",{"type":57,"value":127},", confirmed the full compromise of the system: sensitive defence project data had been exfiltrated and local files encrypted. The ransom note also included a taunt about West Tech's AI being used against itself.",{"type":51,"tag":52,"props":129,"children":131},{"id":130},"pcap-forensics",[132],{"type":57,"value":133},"PCAP Forensics",{"type":51,"tag":60,"props":135,"children":136},{},[137],{"type":57,"value":138},"With evidence pointing to a recent attack, the next step was to inspect network captures stored on the machine.",{"type":51,"tag":74,"props":140,"children":142},{"code":141,"language":77,"meta":38,"className":78,"style":38},"ls -la ~\u002FDocuments\u002Fpcap_dumps\u002F2025-06-17\u002F\n",[143],{"type":51,"tag":81,"props":144,"children":145},{"__ignoreMap":38},[146],{"type":51,"tag":85,"props":147,"children":148},{"class":87,"line":88},[149,154,160],{"type":51,"tag":85,"props":150,"children":151},{"style":92},[152],{"type":57,"value":153},"ls",{"type":51,"tag":85,"props":155,"children":157},{"style":156},"--shiki-default:#79B8FF",[158],{"type":57,"value":159}," -la",{"type":51,"tag":85,"props":161,"children":162},{"style":98},[163],{"type":57,"value":164}," ~\u002FDocuments\u002Fpcap_dumps\u002F2025-06-17\u002F\n",{"type":51,"tag":60,"props":166,"children":167},{},[168,170,175,177,183,185,190],{"type":57,"value":169},"Most dump files in the directory were ",{"type":51,"tag":66,"props":171,"children":172},{},[173],{"type":57,"value":174},"198 bytes",{"type":57,"value":176}," — empty sessions with no real data. One file stood out: ",{"type":51,"tag":81,"props":178,"children":180},{"className":179},[],[181],{"type":57,"value":182},"session_xxxx_dump.pcap",{"type":57,"value":184}," weighed in at ",{"type":51,"tag":66,"props":186,"children":187},{},[188],{"type":57,"value":189},"2262 bytes",{"type":57,"value":191},", indicating an active data transfer or command session had been captured.",{"type":51,"tag":60,"props":193,"children":194},{},[195],{"type":57,"value":196},"The suspicious port number (xxxx) further suggested a reverse shell or C2 connection.",{"type":51,"tag":52,"props":198,"children":200},{"id":199},"key-recovery",[201],{"type":57,"value":202},"Key Recovery",{"type":51,"tag":60,"props":204,"children":205},{},[206],{"type":57,"value":207},"The anomalous PCAP file was reconstructed to extract the attacker's session in plaintext.",{"type":51,"tag":60,"props":209,"children":210},{},[211,213,218],{"type":57,"value":212},"Using the ",{"type":51,"tag":66,"props":214,"children":215},{},[216],{"type":57,"value":217},"pcap_file_reassembler",{"type":57,"value":219}," tool provided by the AI assistant, the captured traffic was converted into a readable log:",{"type":51,"tag":74,"props":221,"children":223},{"code":222},"reassembled_data_dump.txt\n",[224],{"type":51,"tag":81,"props":225,"children":226},{"__ignoreMap":38},[227],{"type":57,"value":222},{"type":51,"tag":60,"props":229,"children":230},{},[231],{"type":51,"tag":232,"props":233,"children":236},"img",{"alt":234,"src":235},"Reassembled data output","\u002Fimg\u002Fmachines\u002Fthm-containment\u002Freassembler.png",[],{"type":51,"tag":60,"props":238,"children":239},{},[240,242,248,250,255],{"type":57,"value":241},"Within the attacker's notes, a critical string was identified: ",{"type":51,"tag":81,"props":243,"children":245},{"className":244},[],[246],{"type":57,"value":247},"wesxxxxxxx",{"type":57,"value":249}," — annotated by the attacker as their \"leverage\" to ensure ransom payment. This turned out to be the ",{"type":51,"tag":66,"props":251,"children":252},{},[253],{"type":57,"value":254},"encryption password",{"type":57,"value":256}," used to lock the stolen files.",{"type":51,"tag":52,"props":258,"children":260},{"id":259},"data-recovery",[261],{"type":57,"value":262},"Data Recovery",{"type":51,"tag":60,"props":264,"children":265},{},[266],{"type":57,"value":267},"With the password in hand, the encrypted archive on Oliver Deer's home directory was unlocked:",{"type":51,"tag":74,"props":269,"children":271},{"code":270,"language":77,"meta":38,"className":78,"style":38},"unzip -P wesxxxxxxx ~\u002Fwesttech_projects_encrypted.zip\n",[272],{"type":51,"tag":81,"props":273,"children":274},{"__ignoreMap":38},[275],{"type":51,"tag":85,"props":276,"children":277},{"class":87,"line":88},[278,283,288,293],{"type":51,"tag":85,"props":279,"children":280},{"style":92},[281],{"type":57,"value":282},"unzip",{"type":51,"tag":85,"props":284,"children":285},{"style":156},[286],{"type":57,"value":287}," -P",{"type":51,"tag":85,"props":289,"children":290},{"style":98},[291],{"type":57,"value":292}," wesxxxxxxx",{"type":51,"tag":85,"props":294,"children":295},{"style":98},[296],{"type":57,"value":297}," ~\u002Fwesttech_projects_encrypted.zip\n",{"type":51,"tag":60,"props":299,"children":300},{},[301,303,309],{"type":57,"value":302},"The archive contained engineering blueprints, prototype logs, and a technical guide (",{"type":51,"tag":81,"props":304,"children":306},{"className":305},[],[307],{"type":57,"value":308},"thm_flags_guide.txt",{"type":57,"value":310},") describing the final challenge left by the attacker.",{"type":51,"tag":52,"props":312,"children":314},{"id":313},"flag-extraction",[315],{"type":57,"value":316},"Flag Extraction",{"type":51,"tag":60,"props":318,"children":319},{},[320,322,327,329,335,337,342],{"type":57,"value":321},"The recovered ",{"type":51,"tag":81,"props":323,"children":325},{"className":324},[],[326],{"type":57,"value":308},{"type":57,"value":328}," revealed that a file named ",{"type":51,"tag":81,"props":330,"children":332},{"className":331},[],[333],{"type":57,"value":334},"thm_flags.txt",{"type":57,"value":336}," contained ",{"type":51,"tag":66,"props":338,"children":339},{},[340],{"type":57,"value":341},"500 potential flags",{"type":57,"value":343}," encoded in Base64. Only one was legitimate.",{"type":51,"tag":60,"props":345,"children":346},{},[347,352,354,359],{"type":51,"tag":66,"props":348,"children":349},{},[350],{"type":57,"value":351},"Selection criteria:",{"type":57,"value":353}," The valid flag had to contain exactly ",{"type":51,"tag":66,"props":355,"children":356},{},[357],{"type":57,"value":358},"3 prime numbers",{"type":57,"value":360}," among its decoded values.",{"type":51,"tag":60,"props":362,"children":363},{},[364,366,371],{"type":57,"value":365},"The AI assistant's ",{"type":51,"tag":66,"props":367,"children":368},{},[369],{"type":57,"value":370},"Liberty Prime",{"type":57,"value":372}," tool was used to:",{"type":51,"tag":374,"props":375,"children":376},"ol",{},[377,383,388],{"type":51,"tag":378,"props":379,"children":380},"li",{},[381],{"type":57,"value":382},"Decode all 500 Base64 strings",{"type":51,"tag":378,"props":384,"children":385},{},[386],{"type":57,"value":387},"Parse the numerical values from each",{"type":51,"tag":378,"props":389,"children":390},{},[391],{"type":57,"value":392},"Apply the prime number filter",{"type":51,"tag":60,"props":394,"children":395},{},[396],{"type":57,"value":397},"This isolated the definitive flag, confirming full containment of the threat.",{"type":51,"tag":60,"props":399,"children":400},{},[401],{"type":51,"tag":232,"props":402,"children":405},{"alt":403,"src":404},"Flag output","\u002Fimg\u002Fmachines\u002Fthm-containment\u002Fflag.png",[],{"type":51,"tag":60,"props":407,"children":408},{},[409],{"type":51,"tag":66,"props":410,"children":411},{},[412],{"type":57,"value":413},"Flag captured 🏴",{"type":51,"tag":415,"props":416,"children":417},"style",{},[418],{"type":57,"value":419},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":38,"searchDepth":104,"depth":104,"links":421},[422,423,424,425,426],{"id":54,"depth":104,"text":58},{"id":130,"depth":104,"text":133},{"id":199,"depth":104,"text":202},{"id":259,"depth":104,"text":262},{"id":313,"depth":104,"text":316},"markdown","content:machines:thm-containment.md","content","machines\u002Fthm-containment.md","machines\u002Fthm-containment","md",1777047342074]