Hack The Box - Forensics | Reminiscent | Writeup

 It was time for the following forensics challenge. From the description, I assumed we would be using Volatility, a fantastic tool for extracting data from memory dumps, so I pulled out the floppy disc

Myself  System.Exit 

Join Me on an exhilarating digital forensics adventure guided by experts! Uncover Reminiscent's secrets with Volatility. Calling all hacking enthusiasts to explore the thrilling realm of cyber investigation. Let's delve into the art of forensics together!

CHALLENGE DESCRIPTION

Suspicious traffic was detected from a recruiter's virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag.

 

Kali doesn’t ship with this and I didn’t have it installed. Better get that sorted:

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2 get-pip.py
pip2 install --upgrade setuptools
apt install install python-dev
pip2 install pycrypto
pip2 install distorm3
git clone https://github.com/volatilityfoundation/volatility
cd volatility
sudo python setup.py install

 Three files were included in the challenge's ZIP file. A memory dump, a duplicate of the "shady email," and a file containing output resembling:

 

vol.py imageinfo -f ../Remini/reminiscent/flounder-pc-memdump.elf

 

This merely instructs us on which Volatility profile to use, which can be applied to numerous systems. Because it is the first profile in the list, we will be using Win7SP1x64.

Using the pslist and psscan commands, we can examine the processes that were active on the system during the memory dump. If the malware is attempting to conceal itself, the latter is helpful. Here, they both yield the same result (in their own special ways), so we can infer with some degree of certainty what happened right away.  




 

explorer.exe -> powershell.exe -> powershell.exe

 

It does launch some other things – that VBoxTray.exe has got itself on my naughty list as well. We’ll come back to that if we have to. We’ll stay focused on Powershell for now.

Let’s try the consoles command to see what that gives us.

 

Although the output is a little unpleasant, it does indicate that we may be onto something. Here, obfuscated code has obviously been executed. We're moving in the appropriate way.

Wouldn't it be wonderful if we could see what was contained in this.lnk file? And we most likely can. It is possible to quickly search for "resume.pdf.lnk" using the filescan command.

Fortunately, the file is in memory at this point, so we can extract its contents and drop it onto our disc by using the dumpfiles command. All that is required is the file offset, which is the information in the first column. Using the following command, I was able to obtain the second entry at 0xfffffa80022ac740:

vol.py --profile=Win7SP1x64 dumpfiles --physoffset 0x000000001e8feb70  -f ../Remini/reminiscent/flounder-pc-memdump.elf --dump-dir ../Remini

 

By doing this, the dump is placed in the directory where I'm working on this task. Upon closer inspection, Powershell is seen running a few payloads that are encoded in Base64. 

That isn't at all attractive. However, if we run it via base64 -d, we can decode it. I frequently use the command line for this:

 

echo <base64 encoded string> | base64 -d

Other methods are available, speak to your local Base64 decoding representative.

The first section of Base64 encoded text doesn’t have anything of any use in it, but the second encodes another Powershell command being executed. 

 That is, of course, also encoded in Base64. Someone has taken great care to hide their intentions in this situation. The payload's core is revealed when we decode this string. This was the entire meal, albeit we had a taste of it earlier when we looked at what was passed through the console:

 

There’s variable called $flag which is, rather obviously, the flag for this challenge which I used to claim my points.

This is a very useful introduction to Volatility if you haven’t used it before, and I’d recommend having a play to see just how much information you can extract. Everything from programs that have recently run to browser history is contained in the memory dump. I’ll leave you with what I pulled using the iehistory command.

 Thank you for being an essential part of this blog's journey. Your readership and support mean the world. Grateful for each moment shared together.

 

 

"Embrace the journey towards your aspirations, undeterred by the ticking clock. Dreams, like steadfast companions, linger beyond the boundaries of time, eternally waiting for your embrace."