The provided file is a dump of a network capture, which we can analyze using Wireshark.
➜ file kNOCk_kNOCk
kNOCk kNOCk: pcapng capture file - version 1.0
Wireshark allows us to display the hierarchy of protocols present in the pcap file (Statistics -> Protocol Hierarchy). We can see that most of the exchanges are TCP.
We can also display the objects that were transferred during the HTTP exchanges.
File -> Export Objects -> HTTP
We can see that a file named MalPack.deb was downloaded from IP address 192.168.157.195 and port 8080. This file is a package for Debian Linux. A Linux package is like a big archive. It contains source files that will be executed during the package installation.
One non-recommended method is to install the package directly :
➜ dpkg -i MalPack.deb
(Reading database ... 185144 files and directories currently installed.)
Preparing to unpack MalPack.deb ...
Unpacking notamalware (1.0) over (1.0) ...
Setting up notamalware (1.0) ...
A file named simplescript.sh will then be created on the system, and we just need to execute it.
➜ /usr/local/bin/simplescript.sh
PWNME{P4ck4g3_1s_g00d_ID}
The recommended method is to retrieve the sources of the package. We can use the ar command to extract the contents.
➜ ar x MalPack.deb
control.tar.xz data.tar.xz debian-binary MalPack.deb
Then, we can extract the following archives.
➜ xz -d data.tar.xz
➜ xz -d control.tar.xz
➜ tar -xvf data.tar
./
./usr/
./usr/local/
./usr/local/bin/
./usr/local/bin/simplescript.sh
We will obtain the simplescript.sh script.
➜ cat ./usr/local/bin/simplescript.sh
#!/bin/bash
echo "PWNME{P4ck4g3_1s_g00d_ID}"
PWNME{P4ck4g3_1s_g00d_ID}