Forensics

The latest wave of phishing documents has our team stumped. Figure out what they are doing and get the flag. Category: Forensics Solver: lmarschk, mp455 Flag: HTB{hT4_j4V@sCr1pT_vBs_0h_mY!} Writeup Summary: Deobfuscate the Makro and the JS Script We get a phishing document airship_incognito.doc. When we open the document we get the notification that this document contains macros. Inside the document we see an image that invotes us to the “unveiling of the airship incognito”. But below the image we notice an unreadable text with a tiny font size. ...

New Era Now that Microsoft will disable Macros coming from the web, APT groups look for alternative ways to bypass MOTW. Thus, our SOC team analyses daily, dozens of different container-based malicious document in different file formats. Make sure you analyse this document properly although it seems to be safe. Category: Forensics Solver: 3mb0, mp455 Flag: HTB{sch3dul1ng_t4sks_1s_c00l_but_p0w3rsh3ll_w1th0ut_p0w3rsh3ll_1s_c00l3r} Writeup Summary: Decompile and deobfuscate the VBA p-code. Microsoft wants to fight the macro malware incident rate by denying all macros from documents that are downloaded from the web and therefore have the “Mark of the Web” (MOTW) [1]. In our case we got office.iso containing office.doc. This way the iso file has the MOTW but when mounting / extracting the iso the doc file has not the MOTW. When we open the document we get the notification about macros. When we try to open the macros source code with the integrated IDE we see an almost blank macro file. That’s weird. Analysing the document with olevba [2] we get the warning that “VBA Stomping was detected: the VBA source code and P-code are different, this may have been used to hide malicious code”. With this we get to know VBA Stomping [3] and what p-code is [4]. Understanding what p-code is we can dump it out of the document with pcodedmp [4]. As p-code is a hardly readable format we searched for p-code decompiler and found pcode2code [5]. The decompiler produces VBA code, of course obfuscated - but even more shocking, it was also broken code. The VBA code contains some strings that look like base64 and some complicated functions. Decoding the base64 strings results in not readable bytes. Reimplementing the code in python took us too long. So we took our time to learn more and more about the VBA syntax and was able to fix the syntax errors. Executing the decoding functions we could transform the non readable base64-looking code into: ...

Steam Door Steam-security analysts have spotted a new unknown persistence technique used in the wild. But they are not able to understand how it works since steam-technology is involving at very fast rates. Please analyse this memory dump and find the persistence mechanism used by the malicious steam actors. Flag format: HTB{md5sum }. For example: HTB{55e7dd3016ce4ac57b9a0f56af12f7c2} Download: drive.google.com/file/d/1OP_r3c9Crvym28suH9K7ro5JNN0Pzx5_ Category: Forensics Solver: lmarschk, mp455 Flag: HTB{db042f659831045cc3748324b481507e} Writeup Summary: Analysis of windows memory dump and file extraction out of it. ...

The network in which our main source of steam is connected to, got compromised. If they managed to gain full control of this network, it would be a disaster! Category: forensics Solver: lmarschk, 3mb0 Flag: HTB{n0th1ng_1s_tru3_3v3ryth1ng_1s_d3crypt3d} Writeup We have got a package capture file. We view this capture by looking over the tcp streams. We notice many attemps of establishing SMB connections. We notice that the suspected attacker (192.168.1.9) is starting to connect to user1 (192.168.1.7), asmith (192.168.1.10) and user2 (192.168.1.11). Although 17 of 26 tcp streams are connection attemps via SMB only 300 of 22,000 packages are transmitted that way. So we dont expect much information in them. ...

An unknown maintainer managed to push an update to one of our public docker images. Our SOC team reported suspicious traffic coming from some of our steam factories ever since. The update got retracted making us unable to investigate further. We are concerned that this might refer to a supply-chain attack. Could you investigate? Docker Image: steammaintainer/gearrepairimage Category: forensics Solver: 3mb0 Flag: HTB{1_r34lly_l1k3_st34mpunk_r0b0ts!!!} Writeup Firstly, we download the provided docker image with docker pull steammaintainer/gearrepairimage and inspect the layers of it on DockerHub [1]: ...

Hackers made it onto one of our production servers. We’ve isolated it from the internet until we can clean the machine up. The IR team reported four different backdoors on the server, but didn’t mention what they were and we currently can’t get in touch with them. We need to get this server back into prod ASAP - we’re losing money every second it’s down. Please find the four backdoors (both remote access and privilege escalation) and remove them. Your creds are user / hackthebox, and that user will have full sudo rights, so running sudo su - will provide a shell as root. Remove any malicious files and configurations, and then run /root/solveme as root to get the flag. ...

While I was surfing the web I probably clicked something that I shouldn’t have, and now I believe that someone knows everything about me. Help me find out what is going on! The profile is Win10x64_17134. drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Category: forensics Solver: 3mb0, mp455 Flag: HTB{t3ll_me_@ll_Your_S3cr3ts} Writeup This time we got an url: drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Here we find a zip archive containing two files: tioe.pcap and ioe.raw tioe.pcap Let’s focus on tioe.pcap. This packet capture file can be divided in two parts. First HTTP Traffic and after that plain TCP streams. ...

The SOC identified a bunch of suspicious emails with ZIP attachments. The zips don’t have executables in them, so how dangerous can they be? Category: forensics Solver: 3mb0, mp455 Flag: HTB{d4ng3r0Us_z1p_ZiP_z1pp3R} Writeup In the provided zip archive there is another archive callled zipper.zip. We can also extract this archive to the files zipper.jpg and zipper.lnk. As .lnk is the file extension for windows shortcuts we inspect its properties. As target there is ...

We think our website has been compromised by a bad actor. We have noticed some weird traffic coming from a user, could you figure out what has been exfiltrated? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured network packets. Since the description stated worries about the website we can filter the packets for http. ...

We received an email from one of our clients regarding an invoice, with contains an attachment. However, after calling the client it seems they have no knowledge of this. We strongly believe that this document contains something malicious. Can you take a look? Category: forensics Solver: mp455 Writeup Since we suspect that the given document ‘invoice.docx’ contains something malicious, we refrain from opening/executing it for the moment. But there are other ways to inspect docx documents: ...

One of our client have reported that they might have been compromised and they don’t know how this happened, we have dump everything including USB traffic. Can you look at it and find out how our client got the virus in the first place? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured USB traffic. ...