Reminiscent

Hello,

so I succesfully solved marhal in the middle.
Now I am stuck with reminiscent. My only question would be at the moment: Am I supposed to get the resume.zip from the link in the mail? I can't access that url using vpn.

I hope I don't spoiler with this question, but I don't think so.

Thanks

Comments

  • Hi @davidb - that file is not intended to be accessible from the HTB network

    rotarydrone
    OSCP

  • Thanks!

  • @rotarydrone Can I PM you? I think i have it mostly solved but missing the first half of the flag.

  • @rotarydrone Nevermind. A reboot somehow fixed it. Got the rest.

  • i got the string with Base64 encoding.while decode the string, $stP,$siP.......shown,anyone can help me to find the correct flag.

  • Mmm memory forensics :)

    charybdis

  • found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

  • edited May 2018

    @FEVING said:
    found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

    maybe dumping the powershell processes and searching will help?

    charybdis

  • @charybdis said:

    @FEVING said:
    found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

    maybe dumping the powershell processes and searching will help?

    dumping the ps process and searching leads to what @FEVING found

    first time tinkering with this type of work, it's interesting. haven't found the flag yet. i've been reading dumps and online docs all day ~_~

  • Dumped the processes, dumped the memory, searched the strings, found the links, still no luck. Any help?

    Hack The Box
    Follow me on Twitter: @C_3PJoe

  • edited July 2018

    I think i have the file but not able to find flag, please help

  • @roboteknix said:
    I think i have the file but not able to find flag, please help

    pm me by explaining what you did , I can give you clues.

  • @C3PJoe said:
    Dumped the processes, dumped the memory, searched the strings, found the links, still no luck. Any help?

    If you haven't completed the challenge by now feel free to PM me.

  • can anyone who has solve this challenge PM me? found the APT .LNK file but not sure how to get the flag. Any hints?

  • edited October 2018

    Solved it. It's not that simple. This text helped me a lot
    https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
    But still is a lot of looking and trying.
    It was a good challenge !
    PM if hints needed.

    Deleite

  • @deleite said:
    Solved it. It's not that simple. This text helped me a lot
    https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
    But still is a lot of looking and trying.
    It was a good challenge !
    PM if hints needed.

    This was a world of help, Thanks heaps.
    First time doing anything like this at all, Once I figured out what was able to be seen, Finding the flag took no more than 10 minutes.
    Awesome challenge learnt a lot.

  • @Blkph0x said:

    @deleite said:
    Solved it. It's not that simple. This text helped me a lot
    https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
    But still is a lot of looking and trying.
    It was a good challenge !
    PM if hints needed.

    This was a world of help, Thanks heaps.
    First time doing anything like this at all, Once I figured out what was able to be seen, Finding the flag took no more than 10 minutes.
    Awesome challenge learnt a lot.

    Im glad it helped. Respect maybe?

    Deleite

  • Hi have solved this challenge. However, I am not sure what was the use for the "resume.eml" file. Happy to discuss if anyone has solved it using .eml file?

  • edited February 15

    Type your comment> @mendedsiren63 said:

    Hi have solved this challenge. However, I am not sure what was the use for the "resume.eml" file. Happy to discuss if anyone has solved it using .eml file?

    The .eml is provided Just as a hint to assist with the challenge or provide a starting point/things to look for.

    rotarydrone
    OSCP

  • Type your comment> @rotarydrone said:

    Type your comment> @mendedsiren63 said:

    Hi have solved this challenge. However, I am not sure what was the use for the "resume.eml" file. Happy to discuss if anyone has solved it using .eml file?

    Just a hint to assist with the challenge or provide a starting point/things to look for.

    Check the link from @deleite , go step by step, anything suspicious running on the box? what window's powerful application attackers used these days? dive into that application and you will find the flag.

  • edited April 2

    .

  • Got it. If you need help PM.
    Cheers from Portugal :+1:

  • So I've found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

  • So I've found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

    Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance

  • I used volatility, awesome tool for memory forensics.
    look for any suspicious processes, check the memory, analyze it etc.
    pm me for help

    e-nigmaNL

Sign In to comment.