Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Export
| Name: | Persistence |
|---|---|
| Hint: | We're noticing some strange connections from a critical PC that can't be replaced. We've run an AV scan to delete the malicious files and rebooted the box, but the connections get re-established. We've taken a backup of some critical system files, can you help us figure out what's going on? |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
|
HTB-Bot  |
| Creator: | felamos  |
Download and unzip the file and check the hint:
Hint: We're noticing some strange connections from a critical PC that can't be replaced. We've run an AV scan to delete the malicious files and rebooted the box, but the connections get re-established. We've taken a backup of some critical system files, can you help us figure out what's going on?
Files: query
This is a Windows Registry Hive. We can tell this by running "file query". So, we can use reglookup in Kali to see all the registry keys. Since the name of this challenge is Persistence, we need to examine the locations that would allow persistence for an attacker (usually HKCU/Windows/CurrentVersion/Run etc.).
Running:
┌──(kali㉿kali)-[~/Desktop/HTB/Persistence]
└─$ reglookup query | grep /Windows/CurrentVersion/Run
/Software/Microsoft/Windows/CurrentVersion/Run,KEY,,2020-10-27 04:38:55
/Software/Microsoft/Windows/CurrentVersion/Run/Windows Update,SZ,C:\Windows\System32\SFRCezFfQzRuX2t3M3J5XzRMUjE5aDd9.exe,
Well, that exe filename looks interesting. Run it through CyberChef and Base64 decode it and we have our flag!
HTB{1_C4n_kw3ry_4LR19h7}
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.