Challenge

Challenge description:

We caught a threat actor, called MuddyWater, bruteforcing a login for our Domain Controller. We have a packet capture of the intrustion. Can you figure out which account they logged in to and what the password is?

Flag format is swampCTF{<username>:<password>}

Filtering

We are given a .pcap file, which we can open in WireShark or other similar software.
There are 97k packets in this file, so we need to filter to find data that’s useful to us.
When we open the file and scroll, we can see lots of SMB2 packets with “Error: STATUS_LOGON_FAILURE” and “Error: STATUS_MORE_PROCESSING_REQUIRED”:

How can we filter these out?
If we click on one of them we can look at the SMB2 details:

We can see that the one related to this error is NT Status, to copy the value in brackets right-click this field and choose Copy -> Value.
After this we can filter it out with the display filter smb2.nt_status != 0xc000006d, this still leaves all the STATUS_MORE_PROCESSING_REQURIED errors.
To filter both out we can use the display filter smb2.nt_status != 0xc000006d and smb2.nt_status != 0xc0000016, which leaves us with ~9000 packets displayed out of the 97k total packets:

There’s still lots of Negotiate Protocol Response packets in the list, let’s filter those too with and smb2.cmd != 0 which leaves us with just 3 packets:

Now we can right-click packet number 72074 and choose Follow -> TCP Stream to filter to just this conversation, we can close the window that comes up.
This updates the display filter to tcp.stream eq 6670 where we can see an Encrypted SMB3 conversation, and the username DESKTOP-0TNOE4V\hackbackzip:

Challenge Summary

Nobita was given a simple task: update the company’s internal network drive. It stored important files that everyone needed. He didn’t understand much about networks, but he wanted to prove he could handle it.  
  
Without checking the instructions, he pressed a few buttons and messed the network up. The shared ftp drive disappeared. Within minutes, employees started complaining.  
  
Gian and Suneo, who relied on the files, stormed into the IT room. “What did you do?” they demanded. Nobita panicked and called Dekisugi.  
  
Help Dekisugi fix the network!  

Challenge by hampter & NotAProton.
This challenge was part of ApoorvCTF 2025 (ApoorvCTF 3.0).

Provided Source Code

The provided zip file has two relevant files, Dockerfile and chall.py.

Dockerfile contains:

FROM python:3.12-slim

WORKDIR /challenge

COPY chall.py /challenge/chall.py
COPY flag.txt /flag.txt

RUN chmod +x /challenge/chall.py


CMD ["python", "/challenge/chall.py"]

This tells us the flag file will be at /flag.txt and how the Python code is being executed.

chall.py has this Python code:

#!/usr/bin/env python3

print("           _            _       _             ")
print("          | |          | |     | |            ")
print("  ___ __ _| | ___ _   _| | __ _| |_ ___  _ __ ")
print(" / __/ _` | |/ __| | | | |/ _` | __/ _ \| '__|")
print("| (_| (_| | | (__| |_| | | (_| | || (_) | |   ")
print(" \___\__,_|_|\___|\__,_|_|\__,_|\__\___/|_|   ")

def calc(op):
	try : 	
		res = eval(op)
	except :
		return print("Wrong operation")
	return print(f"{op} --> {res}")

def main():
	while True :
		inp = input(">> ")
		calc(inp)

if __name__ == '__main__':
	main()

The code will run eval(input) on any input and show the result if a result is returned, or “Wrong operation” on anything else.
eval() expects a string but input() provides one from what we enter.
We want to read the /flag.txt file with Python since the script is running directly in Python and not in an interactive shell like Bash or Z Shell.