Header - UAP Cyber Siege 2025 - Final Round

This challenge revolves around analyzing a .pcapng file that captures attacker activity on a compromised server. The goal is to identify a custom encryption mechanism used in the attack and determine how the attacker encoded or accessed data via HTTP headers.

on tcp.stream eq 13, we can see that a base64 encoded payload was uploaded to this server, which — after decoding — reveals a PHP web shell. The code doesn’t behave like a normal reverse shell or basic command executor. Instead, it uses a custom encryption routine based on certain HTTP headers.

The specific headers used in the encryption are:

$_SERVER["HTTP_IF_NONE_MATCH"]

$_SERVER["HTTP_ACCEPT"]

$_SERVER["HTTP_USER_AGENT"]

These headers are extracted from the incoming HTTP request and passed into a decryption function that reconstructs the command or payload the attacker wants to execute.

From the request in the stream, the relevant headers and their values are:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36

Accept: text/plain,app

If-None-Match: 240b

These values are used as key material or XOR inputs in the PHP code to decrypt the actual command. The encrypted output is seen in the server's response:

GIF689a;

465b570900031e4544451e505244571b13555a500e03051a44454419575142531a1254465c4546410e01001c4447411f575347551a3a

The prefix GIF689a; is used to bypass content filters and make the payload appear as an image — but the rest is clearly binary or hexadecimal encrypted data.

This is an example of Header-based Command Encoding, where the attacker avoids sending obvious payloads in the body or URL. Instead, data is split across standard headers — making the traffic look almost legitimate. We can see the three headers passed in the request. That's all. Thanks ❤