We think our system got compromised, our hosting company uses some strange logtool. Are you able to dig into the logfile and find out if we are compromised?

Challenge created by the Digital and Biometric Traces division of the Netherlands Forensic Institute. download

Extracting the archive we got FOR100.scap file the scap extension is the commonly used by sysdig a system analyzer

Using csysdig -r FOR100.scap we were able to process the logfile with a pratical interface


Looking for the files we found the execution of /tmp/challenge.py


looking deeper we can see that it’s called with a base64 as argument



using the Echo function of csysdig we were able to obtain the source of challenge.py


from Crypto.Cipher import AES
import base64
import sys
obj = AES.new('n0t_just_t00ling',AES_MODE_CBC,'7215fc61c2edd24')
ciphertext = sys.argv[1]
message = obj.decrypt(base64.b64decode(ciphertext))

executing the script with the previously found argument we got the flag

b'Congrats! flag{1da3207f50d82e95c6c0eb803cdc5daf}'