Getting Started
So for this summer, I decided to focus a little more on the offensive side of cybersecurity. I got back onto my hackthebox account hoping, to get up to the script kiddie ranking at least by the end of the summer. I always found hackthebox hard, but now that I have forensics and reverse engineering skills from doing it for about a year and a half, I am more confident than ever. Now onto the challenge.
Reminiscent
First, we have a text file that gives us a list of suggested profiles about the memory dump, flouder-pc-memdump.elf, which we are said to analyze. My malware analyst brain is telling me to look at the running processes captured when the system was up.
Here are three processes that have caught my eye. Process PID 2812 for thunderbird.exe, PID 496 for powershell.exe, and PID 2752 for another PowerShell process. We know that the person using this computer has remoted getting suspicious emails based on the challenge description. It is known that 90% of all malware is distributed by email, coming in documents, PDFs, LNK files, ISOs, you name it. Embedded within are usually PowerShell or other scripting languages.
Also notice that one powershell process is a parent of the other. This could mean that there is some second stage payload here.
Going forward I decided to look at the command line of each of the running processes.
Here we see base64 encoded data within the powershell command line. Decoding it was simple as running the base64 command.
The flag from here is plain text, so it’s easy to spot. This was a quick and easy forensic challenge, but it can help you improve your skills in volatility. One of these skills is just installing volatility. It might be the hardest thing I have ever had to install. Happy reversing!
💬 Comment: