Add small write up for babyapt

forensics/babyapt/README.md

@@ -0,0 +1,18 @@
+# babyAPT
+
+## Flag
+
+HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n}
+
+## How to solve
+
+- Open the pcap file in wireshark
+- Filter for http traffic
+- Observe the sent POST messages, they contain commands
+- The last one contains a rather obscure one
+
+```bash
+"rm  /var/www/html/sites/default/files/.ht.sqlite && echo SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 > /dev/null 2>&1 && ls -al  /var/www/html/sites/default/files
+```
+
+- The echo string is the flag in base64

forensics/babyapt/htbsanta

@@ -1,3 +0,0 @@
-0xsantaslammer
-hackthesanta@0x29a.ch
-PW FF