Skip to content

Latest commit

 

History

History
71 lines (45 loc) · 3.16 KB

clfl4g2m300hmjenve1aebbth.md

File metadata and controls

71 lines (45 loc) · 3.16 KB
title seoTitle datePublished cuid slug cover tags
Artifacts of Dangerous Sightings
HackTheBox - Artifacts of Dangerous Sightings - Writeup
Thu Mar 23 2023 13:00:39 GMT+0000 (Coordinated Universal Time)
clfl4g2m300hmjenve1aebbth
htb-cyberapocalypse-artifacts-of-dangerous-sightings
ads, hacking, ctf

Introduction

Pandora has been using her computer to uncover the secrets of the elusive relic. She has been relentlessly scouring through all the reports of its sightings. However, upon returning from a quick coffee break, her heart races as she notices the Windows Event Viewer tab open on the Security log. This is so strange! Immediately taking control of the situation she pulls out the network cable, takes a snapshot of her machine and shuts it down. She is determined to uncover who could be trying to sabotage her research, and the only way to do that is by diving deep down and following all traces ...

Details

  • Category: Forensics

  • Difficulty: Medium

  • Given: VHDX image file

%%[follow-cta]

Exploration

I'm mounting the image file in the Windows using the PowerShell

Mount-DiskImage -Access ReadOnly -ImagePath C:\ws\vm\shared\2023-03-09T132449_PANDORA.vhdx

Taking into consideration that Pandora discovered the Security logs open with the belief that she got hacked, I'm starting with browsing the PowerShell history - and it appears to be a good guess!

$ cat Users/Pandora/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt

type finpayload > C:\Windows\Tasks\ActiveSyncProvider.dll:hidden.ps1
exit
Get-WinEvent
Get-EventLog -List
wevtutil.exe cl "Windows PowerShell" 
wevtutil.exe cl Microsoft-Windows-PowerShell/Operational
Remove-EventLog -LogName "Windows PowerShell"
Remove-EventLog -LogName Microsoft-Windows-PowerShell/Operational
Remove-EventLog

Here it is visible that some script is being suspiciously hidden in ADS of the regular Windows DLL.

%%[support-cta]

Analysis

Alternate Data Stream (ADS)
File attributes only found on the NTFS file system. Alternate data streams allow files to contain more than one stream of data. Windows Explorer doesn’t provide a way of seeing what ADS are in a file.

We can easily view them in the Command Line

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1679519086317/7fa79b75-8967-4d97-91e6-ec7991cc57cd.png align="center")

and access its content via PowerShell

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1679519104236/b228b5c6-d321-4edf-8f7c-a8fb78326dec.png align="center")

This contains executable base64-encoded PowerShell command. By using a such tool as CyberChef I could easily decode the text and after a two-step deobfuscation I could find a flag.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1679519272454/7e4d2ee8-4c71-4eb1-bc0e-2780737503fa.png align="center")

%%[join-cta]