Reminiscent

Hello,

so I succesfully solved marhal in the middle.
Now I am stuck with reminiscent. My only question would be at the moment: Am I supposed to get the resume.zip from the link in the mail? I can't access that url using vpn.

I hope I don't spoiler with this question, but I don't think so.

Thanks

«1

Comments

  • Hi @davidb - that file is not intended to be accessible from the HTB network

    rotarydrone
    OSCP

  • Thanks!

  • @rotarydrone Can I PM you? I think i have it mostly solved but missing the first half of the flag.

  • @rotarydrone Nevermind. A reboot somehow fixed it. Got the rest.

  • i got the string with Base64 encoding.while decode the string, $stP,$siP.......shown,anyone can help me to find the correct flag.

  • Mmm memory forensics :)

    charybdis

  • found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

  • edited May 2018

    @FEVING said:
    found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

    maybe dumping the powershell processes and searching will help?

    charybdis

  • @charybdis said:

    @FEVING said:
    found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

    maybe dumping the powershell processes and searching will help?

    dumping the ps process and searching leads to what @FEVING found

    first time tinkering with this type of work, it's interesting. haven't found the flag yet. i've been reading dumps and online docs all day ~_~

  • Dumped the processes, dumped the memory, searched the strings, found the links, still no luck. Any help?

    Hack The Box
    Follow me on Twitter: @C_3PJoe

  • edited July 2018

    I think i have the file but not able to find flag, please help

  • @roboteknix said:
    I think i have the file but not able to find flag, please help

    pm me by explaining what you did , I can give you clues.

  • @C3PJoe said:
    Dumped the processes, dumped the memory, searched the strings, found the links, still no luck. Any help?

    If you haven't completed the challenge by now feel free to PM me.

  • can anyone who has solve this challenge PM me? found the APT .LNK file but not sure how to get the flag. Any hints?

  • edited October 2018

    Solved it. It's not that simple. This text helped me a lot
    https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
    But still is a lot of looking and trying.
    It was a good challenge !
    PM if hints needed.

    Deleite

  • @deleite said:
    Solved it. It's not that simple. This text helped me a lot
    https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
    But still is a lot of looking and trying.
    It was a good challenge !
    PM if hints needed.

    This was a world of help, Thanks heaps.
    First time doing anything like this at all, Once I figured out what was able to be seen, Finding the flag took no more than 10 minutes.
    Awesome challenge learnt a lot.

  • @Blkph0x said:

    @deleite said:
    Solved it. It's not that simple. This text helped me a lot
    https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
    But still is a lot of looking and trying.
    It was a good challenge !
    PM if hints needed.

    This was a world of help, Thanks heaps.
    First time doing anything like this at all, Once I figured out what was able to be seen, Finding the flag took no more than 10 minutes.
    Awesome challenge learnt a lot.

    Im glad it helped. Respect maybe?

    Deleite

  • Hi have solved this challenge. However, I am not sure what was the use for the "resume.eml" file. Happy to discuss if anyone has solved it using .eml file?

  • edited February 15

    Type your comment> @mendedsiren63 said:

    Hi have solved this challenge. However, I am not sure what was the use for the "resume.eml" file. Happy to discuss if anyone has solved it using .eml file?

    The .eml is provided Just as a hint to assist with the challenge or provide a starting point/things to look for.

    rotarydrone
    OSCP

  • Type your comment> @rotarydrone said:

    Type your comment> @mendedsiren63 said:

    Hi have solved this challenge. However, I am not sure what was the use for the "resume.eml" file. Happy to discuss if anyone has solved it using .eml file?

    Just a hint to assist with the challenge or provide a starting point/things to look for.

    Check the link from @deleite , go step by step, anything suspicious running on the box? what window's powerful application attackers used these days? dive into that application and you will find the flag.

  • edited April 2

    .

  • Got it. If you need help PM.
    Cheers from Portugal :+1:

  • So I've found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

  • So I've found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

    Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance

  • I used volatility, awesome tool for memory forensics.
    look for any suspicious processes, check the memory, analyze it etc.
    pm me for help

    e-nigmaNL

  • edited April 21

    So I've found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

    Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance

    I am stuck on this point aswell.. Not sure what to do next to find the flag.. Can anyone give me a clue? Thanks in advance!

  • Finally got it after a bit too long...

    Like others here, finding the file and b64 string with volatility was the easy part for me.

    My advice, take the Powerful 1-liner command you have found, break it down into multiple lines, understand each one and it will naturally lead you to the answer.

    This was an awesome challenge and there are many nested layers to appreciate in it, great job rotarydrone +1 respect.

    CISSP | OSCP | OSCE

  • Type your comment> @sherad said:

    Finally got it after a bit too long...

    Like others here, finding the file and b64 string with volatility was the easy part for me.

    My advice, take the Powerful 1-liner command you have found, break it down into multiple lines, understand each one and it will naturally lead you to the answer.

    This was an awesome challenge and there are many nested layers to appreciate in it, great job rotarydrone +1 respect.

    Glad you enjoyed the challenge!

    rotarydrone
    OSCP

  • Great challenge by rotarydrone!

    All you need is to learn volatility properly and a couple of "strings" commands to make it human readable. Looking backwards you have many paths to explore. Don't panic and understand the problem, so you cant loose your way.

  • Type your comment> @KameB0Y said:

    Great challenge by rotarydrone!

    All you need is to learn volatility properly and a couple of "strings" commands to make it human readable. Looking backwards you have many paths to explore. Don't panic and understand the problem, so you cant loose your way.

    hi.
    i am stuck now at this challenge
    what i have done was-
    -used volatility
    -found where the malware is
    -from parent file got the base64 code
    -decoded it and got a "ONELINE SUPER CODE"

    now i have tryed to make something out of that code i think its written in C# but i can not wrap my head around it please help me out i suspect that once i figure out what i am looking for in that code i will find it in the child file ~ please help me out TY!

Sign In to comment.