On this wargames.my 2015, our team managed to settled only 2 challenged because we were busy with our final exam, no brain left to commit to the competition.

so lets go with the challenge
the hint given is some C&C server address which is blablayadaaofeiwnfvocwvonwec.wargames.my

so we open sinkholed_traffic.pcapng with wireshark and filter the address
after a while we managed to find something useful in http header which is
"wefwavwef="

I am no master in programming, so I utilize the linux tools and shell
here the summary of if



 r0x@b0x:~/Desktop$ sudo tcpick -C -yP -r sinkholed_traffic.pcapng | grep wefwavwef= > decode.txt   

r0x@b0x:~/Desktop$ cat decode.txt
wefwavwef=3b2cc923a4beb7dfff5e378cdb41626a86c05ef6MDQvMDY%3dAQEFXQAAAQAMJwAICgHA5%2f0%2bAAAFAREZAHMAeQBz
wefwavwef=6a7dd901c5965c767b69e3eea46c2afa82a12485MDIvMDY%3d%2fCcAOhoIznZkpyGug6wH%2bnE%2bf0ygjpQO3U005JRj
wefwavwef=f31e92d008b9a49d3047b15b44c627e0b05ffdbfMDYvMDY%3dARUGAQAgAAAAAAA%3d
wefwavwef=a6b153ee99408406b3a9ac260c809fb74d990bf3MDUvMDY%3dAGkAbgBmAG8ALgB0AHgAdAAAABQKAQDQffjJPZTQ
wefwavwef=f0a021760a1407e957c080362497f2f726f1b774MDMvMDY%3d5gBiE9NITMr1ItKk%2fiLBAQQGAAEJKwAHCwEAASMD
wefwavwef=8bc85586c9caafcc26673c98caaf980f57277091MDEvMDY%3dN3q8ryccAAMGi8mhKwAAAAAAAABWAAAAAAAAAGG4

r0x@b0x:~/Desktop$ urlencode -d wefwavwef=3b2cc923a4beb7dfff5e378cdb41626a86c05ef6MDQvMDY%3dAQEFXQAAAQAMJwAICgHA5%2f0%2bAAAFAREZAHMAeQBz \
> wefwavwef=6a7dd901c5965c767b69e3eea46c2afa82a12485MDIvMDY%3d%2fCcAOhoIznZkpyGug6wH%2bnE%2bf0ygjpQO3U005JRj \
> wefwavwef=f31e92d008b9a49d3047b15b44c627e0b05ffdbfMDYvMDY%3dARUGAQAgAAAAAAA%3d \
> wefwavwef=a6b153ee99408406b3a9ac260c809fb74d990bf3MDUvMDY%3dAGkAbgBmAG8ALgB0AHgAdAAAABQKAQDQffjJPZTQ \
> wefwavwef=f0a021760a1407e957c080362497f2f726f1b774MDMvMDY%3d5gBiE9NITMr1ItKk%2fiLBAQQGAAEJKwAHCwEAASMD \
> wefwavwef=8bc85586c9caafcc26673c98caaf980f57277091MDEvMDY%3dN3q8ryccAAMGi8mhKwAAAAAAAABWAAAAAAAAAGG4 | tr " " "\n" > decode.txt

r0x@b0x:~/Desktop$ cat decode.txt | perl -p -e 's/^.*?MD/MDY/' | sort | sed 's/.*MDY=//' | base64 -d > decode.7z

r0x@b0x:~/Desktop$ 7z e decode.7z | cat sysinfo.txt | grep flag
the flag is - worryingwontmakeanybetter
r0x@b0x:~/Desktop$



the flag is - worryingwontmakeanybetter

a little bit messy, but it get the job done. Kudos for organizer for awesome and pecah kepala punya soalan. Congratz to team Rempah, aleuto, deyum and all teams that participating. Till next time