Reminiscent

Type your comment> @rotarydrone said:

Type your comment> @mendedsiren63 said:

Hi have solved this challenge. However, I am not sure what was the use for the “resume.eml” file. Happy to discuss if anyone has solved it using .eml file?

Just a hint to assist with the challenge or provide a starting point/things to look for.

Check the link from @deleite , go step by step, anything suspicious running on the box? what window’s powerful application attackers used these days? dive into that application and you will find the flag.

.

Got it. If you need help PM.
Cheers from Portugal :+1:

So I’ve found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

So I’ve found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance

I used volatility, awesome tool for memory forensics.
look for any suspicious processes, check the memory, analyze it etc.
pm me for help

So I’ve found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks

Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance

I am stuck on this point aswell… Not sure what to do next to find the flag… Can anyone give me a clue? Thanks in advance!

Finally got it after a bit too long…

Like others here, finding the file and b64 string with volatility was the easy part for me.

My advice, take the Powerful 1-liner command you have found, break it down into multiple lines, understand each one and it will naturally lead you to the answer.

This was an awesome challenge and there are many nested layers to appreciate in it, great job rotarydrone +1 respect.

Type your comment> @sherad said:

Finally got it after a bit too long…

Like others here, finding the file and b64 string with volatility was the easy part for me.

My advice, take the Powerful 1-liner command you have found, break it down into multiple lines, understand each one and it will naturally lead you to the answer.

This was an awesome challenge and there are many nested layers to appreciate in it, great job rotarydrone +1 respect.

Glad you enjoyed the challenge!

Great challenge by rotarydrone!

All you need is to learn volatility properly and a couple of “strings” commands to make it human readable. Looking backwards you have many paths to explore. Don’t panic and understand the problem, so you cant loose your way.

Type your comment> @KameB0Y said:

Great challenge by rotarydrone!

All you need is to learn volatility properly and a couple of “strings” commands to make it human readable. Looking backwards you have many paths to explore. Don’t panic and understand the problem, so you cant loose your way.

hi.
i am stuck now at this challenge
what i have done was-
-used volatility
-found where the malware is
-from parent file got the base64 code
-decoded it and got a “ONELINE SUPER CODE”

now i have tryed to make something out of that code i think its written in C# but i can not wrap my head around it please help me out i suspect that once i figure out what i am looking for in that code i will find it in the child file ~ please help me out TY!

@rotarydrone said:
Hi @davidb - that file is not intended to be accessible from the HTB network

@rotarydrone hi man can i PM you and you help me out a little
i have gotten to the code but i cant figure out what i am looking for !

Type your comment> @S4K4L04 said:

i am stuck now at this challenge
what i have done was-
-used volatility
-found where the malware is
-from parent file got the base64 code
-decoded it and got a “ONELINE SUPER CODE”

You are in the right track, you only have to find it. Go back to volatility and use “pstree”. The question is: Have you exhausted all “Powerful 1-liner”?

@KameB0Y
sorry i am a NOOB who got into this stuff a very short while ago
could you explain further what do you mean ?
i don’t get what do you mean exactly with “exhaused” i mean i have found 2 of them one is really big other is a little smaller if that is what you wanted to ask me ?

Type your comment> @S4K4L04 said:

@KameB0Y
I’ll PM you.

Hey, if anyone’s still stuck with this challenge here’s my tips:
If you already got the lnk file, all that’s left to do is to actually read the code and follow exactly what it’s doing. Even if you’re not familiar with this specific language, you can always look it up! There are some nice reference docs online.

What a great challenge. Very interesting!

Videos that helped me understand how to use Volatility:

Websites

If you need some assistance please PM me.

Great challenge! I really loved this one :slight_smile:

All by myself!!! Great challenge! I’ve learned a lot of stuff :slight_smile:

Thanks @Wolfstorm for those resources!