Airshop Incognito

The latest wave of phishing documents has our team stumped. Figure out what they are doing and get the flag. Category: Forensics Solver: lmarschk, mp455 Flag: HTB{hT4_j4V@sCr1pT_vBs_0h_mY!} Writeup Summary: Deobfuscate the Makro and the JS Script We get a phishing document airship_incognito.doc. When we open the document we get the notification that this document contains macros. Inside the document we see an image that invotes us to the “unveiling of the airship incognito”....

August 9, 2022 · 2 min · lmarschk, mp455

New Era

New Era Now that Microsoft will disable Macros coming from the web, APT groups look for alternative ways to bypass MOTW. Thus, our SOC team analyses daily, dozens of different container-based malicious document in different file formats. Make sure you analyse this document properly although it seems to be safe. Category: Forensics Solver: 3mb0, mp455 Flag: HTB{sch3dul1ng_t4sks_1s_c00l_but_p0w3rsh3ll_w1th0ut_p0w3rsh3ll_1s_c00l3r} Writeup Summary: Decompile and deobfuscate the VBA p-code. Microsoft wants to fight the macro malware incident rate by denying all macros from documents that are downloaded from the web and therefore have the “Mark of the Web” (MOTW) [1]....

August 9, 2022 · 2 min · lmarschk, mp455

Steam Door

Steam Door Steam-security analysts have spotted a new unknown persistence technique used in the wild. But they are not able to understand how it works since steam-technology is involving at very fast rates. Please analyse this memory dump and find the persistence mechanism used by the malicious steam actors. Flag format: HTB{md5sum }. For example: HTB{55e7dd3016ce4ac57b9a0f56af12f7c2} Download: drive.google.com/file/d/1OP_r3c9Crvym28suH9K7ro5JNN0Pzx5_ Category: Forensics Solver: lmarschk, mp455 Flag: HTB{db042f659831045cc3748324b481507e} Writeup Summary: Analysis of windows memory dump and file extraction out of it....

August 9, 2022 · 2 min · lmarschk, mp455

Keep the steam activated

The network in which our main source of steam is connected to, got compromised. If they managed to gain full control of this network, it would be a disaster! Category: forensics Solver: lmarschk, 3mb0 Flag: HTB{n0th1ng_1s_tru3_3v3ryth1ng_1s_d3crypt3d} Writeup We have got a package capture file. We view this capture by looking over the tcp streams. We notice many attemps of establishing SMB connections. We notice that the suspected attacker (192.168.1.9) is starting to connect to user1 (192....

December 2, 2021 · 4 min · lmarschk, 3mb0

Peel back the layers

An unknown maintainer managed to push an update to one of our public docker images. Our SOC team reported suspicious traffic coming from some of our steam factories ever since. The update got retracted making us unable to investigate further. We are concerned that this might refer to a supply-chain attack. Could you investigate? Docker Image: steammaintainer/gearrepairimage Category: forensics Solver: 3mb0 Flag: HTB{1_r34lly_l1k3_st34mpunk_r0b0ts!!!} Writeup Firstly, we download the provided docker image with docker pull steammaintainer/gearrepairimage and inspect the layers of it on DockerHub [1]:...

December 2, 2021 · 2 min · 3mb0

HideAndSeek

Hackers made it onto one of our production servers. We’ve isolated it from the internet until we can clean the machine up. The IR team reported four different backdoors on the server, but didn’t mention what they were and we currently can’t get in touch with them. We need to get this server back into prod ASAP - we’re losing money every second it’s down. Please find the four backdoors (both remote access and privilege escalation) and remove them....

March 24, 2021 · 4 min · lmarschk, mp455, 3mb0

time if of the essence

While I was surfing the web I probably clicked something that I shouldn’t have, and now I believe that someone knows everything about me. Help me find out what is going on! The profile is Win10x64_17134. drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Category: forensics Solver: 3mb0, mp455 Flag: HTB{t3ll_me_@ll_Your_S3cr3ts} Writeup This time we got an url: drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Here we find a zip archive containing two files: tioe.pcap and ioe.raw tioe.pcap Let’s focus on tioe.pcap. This packet capture file can be divided in two parts....

March 24, 2021 · 5 min · mp455, 3mb0

Zipper

The SOC identified a bunch of suspicious emails with ZIP attachments. The zips don’t have executables in them, so how dangerous can they be? Category: forensics Solver: 3mb0, mp455 Flag: HTB{d4ng3r0Us_z1p_ZiP_z1pp3R} Writeup In the provided zip archive there is another archive callled zipper.zip. We can also extract this archive to the files zipper.jpg and zipper.lnk. As .lnk is the file extension for windows shortcuts we inspect its properties. As target there is...

March 24, 2021 · 2 min · mp455, 3mb0

Exfil

We think our website has been compromised by a bad actor. We have noticed some weird traffic coming from a user, could you figure out what has been exfiltrated? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured network packets. Since the description stated worries about the website we can filter the packets for http....

3 min · mp455

kapKan

We received an email from one of our clients regarding an invoice, with contains an attachment. However, after calling the client it seems they have no knowledge of this. We strongly believe that this document contains something malicious. Can you take a look? Category: forensics Solver: mp455 Writeup Since we suspect that the given document ‘invoice.docx’ contains something malicious, we refrain from opening/executing it for the moment. But there are other ways to inspect docx documents:...

2 min · mp455

Plug

One of our client have reported that they might have been compromised and they don’t know how this happened, we have dump everything including USB traffic. Can you look at it and find out how our client got the virus in the first place? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured USB traffic....

1 min · mp455