forensicsProhard

Acknowledge the corn

hackthebox

Task: memory dump (powershell.dmp) + pcap of a Covenant Grunt C2 session; determine whether the APT penetrated the network and recover the flag. Solution: fingerprint Covenant via its default HTTP profile, deobfuscate the base64+DEFLATE .NET stager to extract SetupAESKey, recover the negotiated AES session key from the process dump via an HMAC-SHA256 oracle full-dump scan, decrypt the AES-256-CBC C2 traffic, and reconstruct the flag from keylogger output by stripping lshiftkey noise tokens.

pcap aes_cbc dotnet memory_forensics c2 hmac_sha256 mimikatz covenant grunt keylogger powershell_stager

aes_cbc_decryptionc2_profile_fingerprintingstager_deobfuscationdeflate_decompressiondotnet_string_extractioncovenant_message_parsinghmac_oracle_keyscankeylogger_reconstruction

$ ls tags/ techniques/

pcap aes_cbc dotnet memory_forensics c2 hmac_sha256 mimikatz covenant grunt keylogger powershell_stager

aes_cbc_decryptionc2_profile_fingerprintingstager_deobfuscationdeflate_decompressiondotnet_string_extractioncovenant_message_parsinghmac_oracle_keyscankeylogger_reconstruction

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups