Red Failure
HackTheBox
Task: analyze a PCAP from a red team engagement to find leftover persistence mechanisms. Solution: extract HTTP objects (PS1 loader, DInjector DLL, encrypted shellcode), deobfuscate PowerShell to recover AES password, decrypt shellcode, decode shikata_ga_nai encoder to reveal a net user command creating a backdoor admin account.
$ ls tags/ techniques/
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Red Failure — HackTheBox
Description
During a recent red team engagement one of our servers got compromised. Upon completion the red team should have deleted any malicious artifact or persistence mechanism used throughout the project. However, our engineers have found numerous of them left behind. It is therefore believed that there are more such mechanisms still active. Can you spot any, by investigating this network capture?
We are given a capture.pcap file (password-protected ZIP, password: hackthebox). The goal is to analyze the network traffic, identify the attack chain, and find the persistence mechanism the red team forgot to clean up.
Analysis
Step 1: PCAP Traffic Reconnaissance
Analysis with tshark revealed 3 HTTP downloads from 147.182.172.189:80:
| Object | Description | Size |
|---|---|---|
/4A7xH.ps1 | Obfuscated PowerShell loader script | ~2KB |
/user32.dll | DInjector .NET process injection framework (disguised as user32.dll) | 86KB PE32 DLL Mono/.Net assembly |
/9tVI0 | AES-encrypted shellcode payload | 336 bytes |
The attack chain is clear: PowerShell script downloads a .NET injection framework and encrypted shellcode, then uses the framework to inject the decrypted shellcode into a process.
Step 2: PowerShell Deobfuscation
The PS1 script used heavy string format obfuscation — "{0}{1}" -f 'X','Y' patterns combined with backtick character escapes. After manual deobfuscation, the key variables were recovered:
...