HTB Cyber Apocalypse CTF 2025: Tales from Eldoria - Forensics - Silent Trap

Challenge Scenario:

A critical incident has struck "Tales from Eldoria," trapping players within the virtual world. Malakar, a mysterious entity, has launched a sophisticated attack, compromising developer and administrator systems. Our task is to investigate this attack, understand its methods, and ultimately find a way to restore the system and free the trapped players.

Challenge Questions and Solutions:

1. What is the subject of the first email that the victim opened and replied to?
2. On what date and time was the suspicious email sent? (Format: YYYY-MM-DD_HH:MM)
3. What is the MD5 hash of the malware file?
4. What credentials were used to log into the attacker's mailbox? (Format: username:password)
5. What is the name of the task scheduled by the attacker?
6. What is the API key leaked from the highly valuable file discovered by the attacker?

Investigation Steps:

1. Network Traffic Analysis with Wireshark:

The first step in our investigation was to analyze the provided network capture file in Wireshark to understand the nature of the attack and identify any suspicious communications. By opening the capture in Wireshark and examining the TCP streams, we gained context into the network traffic.

2. Identifying the Suspicious .pdf.exe File:

While analyzing the TCP streams in Wireshark, we noticed a transfer of a file with a suspicious name: a file disguised as a PDF but with an executable extension (.pdf.exe). This immediately raised a red flag, suggesting this file could be the malware used in the attack.