From 41dd116e1020d672e90350032d32720c12bb4be5 Mon Sep 17 00:00:00 2001
From: aaron <aaron@duckpond.ch>
Date: Fri, 3 Dec 2021 16:58:02 +0100
Subject: [PATCH] Add small write up for babyapt

---
 forensics/babyapt/README.md | 18 ++++++++++++++++++
 forensics/babyapt/htbsanta  |  3 ---
 2 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 forensics/babyapt/README.md
 delete mode 100644 forensics/babyapt/htbsanta

diff --git a/forensics/babyapt/README.md b/forensics/babyapt/README.md
new file mode 100644
index 0000000..c98ecc2
--- /dev/null
+++ b/forensics/babyapt/README.md
@@ -0,0 +1,18 @@
+# babyAPT
+
+## Flag
+
+HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n}
+
+## How to solve
+
+- Open the pcap file in wireshark
+- Filter for http traffic
+- Observe the sent POST messages, they contain commands
+- The last one contains a rather obscure one
+
+```bash
+"rm  /var/www/html/sites/default/files/.ht.sqlite && echo SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 > /dev/null 2>&1 && ls -al  /var/www/html/sites/default/files
+```
+
+- The echo string is the flag in base64
diff --git a/forensics/babyapt/htbsanta b/forensics/babyapt/htbsanta
deleted file mode 100644
index 3998494..0000000
--- a/forensics/babyapt/htbsanta
+++ /dev/null
@@ -1,3 +0,0 @@
-0xsantaslammer
-hackthesanta@0x29a.ch
-PW FF