HTB Nuts: Walkthrough
This is a walkthrough on the “Nuts” Sherlock, which is focused mainly on forensics. Most of the analysis can be performed with ZimmermanTools and some occasional manual analysis and cli-fu.
1) What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)
Looking around the user directories, we notice Administrator has a ton of files in their folder, probably meaning Alex used the Administrator account for his daily operations.
We notice your typical files, but one sticks out, PublishIgnor.1.0.11-beta. If we look into it, we see quite a suspicious init.ps1 file:
We can check the Powershell history of the user at:
1
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
And we find a potential command that the user must’ve ran:
1
nuget install PublishIgnor -Version 1.0.11-beta
2) Identify the URL from which the package was downloaded.
We can check the user’s browser history, maybe they made some searches beforehand. The google chrome history is found at:
1
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History
3) Who is the threat actor responsible for publishing the malicious package? (the name of the package publisher)
4) When did the attacker initiate the download of the package? Provide the timestamp in UTC format (YYYY-MM-DD HH:MM).
Seems to have been at 2024-03-19 18:41
5) Despite restrictions, the attacker successfully uploaded the malicious file to the official site by altering one key detail. What is the modified package ID of the malicious package?
We can see this as the legitimate one, and it seems our attacker decided to remove the e, resulting in a “unique” package ID.
6) Which deceptive technique did the attacker employ during the initial access phase to manipulate user perception? (technique name)
1
Typosquatting
7) Determine the full path of the file within the package containing the malicious code.
1
C:\Users\Administrator\.nuget\packages\publishignor\1.0.11-beta\tools\init.ps1
8) When tampering with the system’s security settings, what command did the attacker employ?
He disabled anti-virus.
1
Set-MpPreference -DisableRealtimeMonitoring $true
9) Following the security settings alteration, the attacker downloaded a malicious file to ensure continued access to the system. Provide the SHA1 hash of this file.
Originally, I had assumed that windows defender logs would be disabled around the time this binary was on the machine, since in the question above, we found that the attacker disabled it. But its possible the user re-enabled it or the attacker didnt disable all the defender features, and defender was able to find and remove the malware. To find the hash specifically, you have to go to
1
C:\Users\Zayd\Desktop\Nuts\C\ProgramData\Microsoft\Windows Defender\Support\MPLog.log
10) Identify the framework utilised by the malicious file for command and control communication.
Sliver, if we take a look at the event logs:
11) At what precise moment was the malicious file executed?
We can check the prefetch file for the file:
1
.\PECmd.exe -f ..\..\..\..\Nuts\C\Windows\prefetch\UNINSTALL.EXE-07032A62.pf
12) The attacker made a mistake and didn’t stop all the features of the security measures on the machine. When was the malicious file detected? Provide the timestamp in UTC.
13) After establishing a connection with the C2 server, what was the first action taken by the attacker to enumerate the environment? Provide the name of the process.
Alot of the tasks in this lab could’ve been easily found/solved if sysmon was used, but since it isn’t, we have to use some different techniques. In this case, I tried checking the event logs for any binaries/processes that mightve started on id 4688, but no luck.
So what we can next is try and view at some of the prefetch files, and see if we notice anything a typical attacker might run, and when they were run:
It ran just about a minute after the sliver c2 communication binary was run.
14) To ensure continued access to the compromised machine, the attacker created a scheduled task. What is the name of the created task?
Since we dont have access to the registry and the windows event logs aren’t showing anything, lets manually check C:\Windows\System32\Tasks
Lets cat them all out and grep for something around the time when the compromised occured:
1
2
3
4
find . -maxdepth 1 -type f -exec iconv -f UTF-16 -t UTF-8 {} -o {}.converted \;
# {} is a placeholder that represents each file found.
# \; marks the end of the command to be executed by find.
As we can see, there was one scheduled right around the same time this happened, and if we open it, it shows the attacker disabling Windows Defender every 10 minutes.
15) When was the scheduled task created? Provide the timestamp in UTC.
1
2024-03-19 19:24:05
16) Upon concluding the intrusion, the attacker left behind a specific file on the compromised host. What is the name of this file?
Honestly, with no context, it was borderline impossible to pinpoint exactly what file was created, so i had to simply import the $J into timeline explorer, and filter for FileCreate and bruteforce the answer with any suspicious looking files i found. In this case, it was file.exe
17) As an anti-forensics measure. The threat actor changed the file name after executing it. What is the new file name?
We can filter for RenameNewName and RenameOldName and look for something a bit after that timeframe:
18) Identify the malware family associated with the file mentioned in the previous question (17).
We can find the Updater.exe file in the ProgramData folder thanks to MFT:
Then we can upload the binary to VirusTotal, and through trial and error, get the answer.