We covered an incident response scenario that involved using forensics skills to investigate a webserver hacked by exploiting a file upload vulnerability, We have been given the webshell the attacker used along with a packet dump file that included the packets exchanged between the attacker and the webserver while they were executing commands.
We decoded the script using base64, XOR encryption and Gzip compression to uncover the commands the attacker executed along with the output received.
We found that the attacker downloaded a Keepass file encoded with base64 so we used keepass2john to extract the hash and john the ripper to find the password of the password database that contained the flag.
Full Writeup is here.