We're noticing some strange connections from a critical PC that can't be replaced. We've run an AV scan to delete the malicious files and rebooted the box, but the connections get re-established. We've taken a backup of some critical system files, can you help us figure out what's going on?
Information
Challenge: Persistence
Category: Forensics
Difficulty: Easy
Files : Persistence.zip 118 KB
query 552 KB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/Persistence.zipSHA256SUM:Â 84ee1ec1fd823ea9d3a97babd8312150bd577b1f1b74aee9c513dcbc4910ef01
Walkthrough
1. File Analysis
First, let’s figure out what type of file this is:
file query
#returns query: MS Windows registry file, NT/2000 or above
Since it’s a registry file, we can parse it with regfexport. Normally, I would use RegRipper but since the hive name is unkown it’s easier this way.
2. Hive Analysis
The Challenge description specifically implies that something is persisting. We can check if there is a Run key in the hive, to look for autorun values:
cat query.txt | grep Run
Perfect, now we can grep for the ‘CurrentVersion\Run’ key to see its values:
cat query.txt | grep -F 'ROOT\Software\Microsoft\Windows\CurrentVersion\Run' -A 30
It has only one value, an executable with a base64 encoded name.
echo -n 'SFRCezFfQzRuX2t3M3J5XzRMUjE5aDd9' | base64 -d
#returns HTB{1_C4n_kw3ry_4LR19h7}
