Hi have solved this challenge. However, I am not sure what was the use for the “resume.eml” file. Happy to discuss if anyone has solved it using .eml file?
Just a hint to assist with the challenge or provide a starting point/things to look for.
Check the link from @deleite , go step by step, anything suspicious running on the box? what window’s powerful application attackers used these days? dive into that application and you will find the flag.
So I’ve found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks
So I’ve found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks
Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance
So I’ve found the lnk file from the b64 string starting with $stp, $siP. but now unsure on where to go any help would be amazing. Feel free to PM if you have any clues. Thanks
Stuck at the same place. I would appreciate if someone could give any clues in pm. Thanks in advance
I am stuck on this point aswell… Not sure what to do next to find the flag… Can anyone give me a clue? Thanks in advance!
Like others here, finding the file and b64 string with volatility was the easy part for me.
My advice, take the Powerful 1-liner command you have found, break it down into multiple lines, understand each one and it will naturally lead you to the answer.
This was an awesome challenge and there are many nested layers to appreciate in it, great job rotarydrone +1 respect.
Like others here, finding the file and b64 string with volatility was the easy part for me.
My advice, take the Powerful 1-liner command you have found, break it down into multiple lines, understand each one and it will naturally lead you to the answer.
This was an awesome challenge and there are many nested layers to appreciate in it, great job rotarydrone +1 respect.
All you need is to learn volatility properly and a couple of “strings” commands to make it human readable. Looking backwards you have many paths to explore. Don’t panic and understand the problem, so you cant loose your way.
All you need is to learn volatility properly and a couple of “strings” commands to make it human readable. Looking backwards you have many paths to explore. Don’t panic and understand the problem, so you cant loose your way.
hi.
i am stuck now at this challenge
what i have done was-
-used volatility
-found where the malware is
-from parent file got the base64 code
-decoded it and got a “ONELINE SUPER CODE”
now i have tryed to make something out of that code i think its written in C# but i can not wrap my head around it please help me out i suspect that once i figure out what i am looking for in that code i will find it in the child file ~ please help me out TY!
i am stuck now at this challenge
what i have done was-
-used volatility
-found where the malware is
-from parent file got the base64 code
-decoded it and got a “ONELINE SUPER CODE”
You are in the right track, you only have to find it. Go back to volatility and use “pstree”. The question is: Have you exhausted all “Powerful 1-liner”?
@KameB0Y
sorry i am a NOOB who got into this stuff a very short while ago
could you explain further what do you mean ?
i don’t get what do you mean exactly with “exhaused” i mean i have found 2 of them one is really big other is a little smaller if that is what you wanted to ask me ?
Hey, if anyone’s still stuck with this challenge here’s my tips:
If you already got the lnk file, all that’s left to do is to actually read the code and follow exactly what it’s doing. Even if you’re not familiar with this specific language, you can always look it up! There are some nice reference docs online.
