[maggi]

I saw HTB released 2 new sherlocks


I didn't download the file yet but Number 7 is: Invoke-WebRequest
(It was just a hunch looking at the questions)

[DonaldTrump]

Nice let's seee

[node]

To accurately reference and identify the suspicious binary, please provide its SHA256 hash.
Flag 1: 12DAA34111BB54B3DCBAD42305663E44E7E6C3842F015CCCBBE6564D9DFD3EA3
sha256sum Superstar_MemberCard.tiff.exe

When was the binary file originally created, according to its metadata (UTC)?
Flag 2: 2024-03-13 10:38:06
exiftool -all Superstar_MemberCard.tiff.exe
checked Time Stamp -> 2024:03:13 05:38:06-05:00 convert UTC

Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?
Flag 3: 38400
still looking in the results of the previous command CodeSize is the byte size

It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
Flag 4:  newILY.ps1
used xxd Superstar_Membercard.tiff.exe

00008d20: 0063 0074 003a 0022 003c 0066 0069 006c  .c.t.:.".<.f.i.l
00008d30: 0065 006e 0061 006d 0065 003e 0022 0001  .e.n.a.m.e.>."..
00008d40: 092d 0065 006e 0064 0001 0d2d 0064 0065  .-.e.n.d...-.d.e
00008d50: 0062 0075 0067 0001 156e 0065 0077 0049  .b.u.g...n.e.w.I
00008d60: 004c 0059 002e 0070 0073 0031 0000 2f5e  .L.Y...p.s.1../^

Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.
Flag 5: 2c74
strings Superstar_Membercard.tiff.exe you can find the obfuscated code

z}U*2{U{B*6{U}B*2{U{C*6{U}C*2{U{D*6{U}D*2{U{E*6{U}E*2{U{F*6{U}F*2{U{G*6{U}G*2{U{H*6{U}H*2{U{I*6{U}I*2{U{J*6{U}J*2{U{K*6{U}K*{V*"}V*{W*"}W*(

which matches the patterns of the code run at 0x2c70

[b]00002c60: 0a73 1c01 000a 7a1e 0228 1100 000a 2a00  .s....z..(....*.[/b]
[b]00002c70: 361e 0000 2473 4372 7420 3d20 223d 3d67  6...$sCrt = "==g[/b]
[b]00002c80: 434e 5532 5979 396d 5274 4153 5a7a 4a58  CNU2Yy9mRtASZzJX[/b]
[b]00002c90: 646a 566d 5574 4169 6370 5245 646c 646d  djVmUtAicpREdldm[/b]

The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation? 
Flag: 6 Base64
using cat or strings on the executable again we can see the bade64 encoded strings I will not paste because of length you will see it

What is the specific cmdlet utilized that was used to initiate file downloads?
Flag 7: Invoke-WebRequest - Got this from you was only finding Invoke-Expression

Should finish this today I'll update

[opopossum]

Flag 8: 35.169.66.138,44.206.187.144

Flag 9: C:\Users\Public\Public Files

[blind01]

thankyou for the flags and details

To accurately reference and identify the suspicious binary, please provide its SHA256 hash.
Flag 1: 12DAA34111BB54B3DCBAD42305663E44E7E6C3842F015CCCBBE6564D9DFD3EA3
sha256sum Superstar_MemberCard.tiff.exe

When was the binary file originally created, according to its metadata (UTC)?
Flag 2: 2024-03-13 10:38:06
exiftool -all Superstar_MemberCard.tiff.exe
checked Time Stamp -> 2024:03:13 05:38:06-05:00 convert UTC

Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?
Flag 3: 38400
still looking in the results of the previous command CodeSize is the byte size

It appears that the binary may have undergone a file conversion process. Could you determine its original filename?
Flag 4:  newILY.ps1
used xxd Superstar_Membercard.tiff.exe

00008d20: 0063 0074 003a 0022 003c 0066 0069 006c  .c.t.:.".<.f.i.l
00008d30: 0065 006e 0061 006d 0065 003e 0022 0001  .e.n.a.m.e.>."..
00008d40: 092d 0065 006e 0064 0001 0d2d 0064 0065  .-.e.n.d...-.d.e
00008d50: 0062 0075 0067 0001 156e 0065 0077 0049  .b.u.g...n.e.w.I
00008d60: 004c 0059 002e 0070 0073 0031 0000 2f5e  .L.Y...p.s.1../^

Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.
Flag 5: 2c74
strings Superstar_Membercard.tiff.exe you can find the obfuscated code

z}U*2{U{B*6{U}B*2{U{C*6{U}C*2{U{D*6{U}D*2{U{E*6{U}E*2{U{F*6{U}F*2{U{G*6{U}G*2{U{H*6{U}H*2{U{I*6{U}I*2{U{J*6{U}J*2{U{K*6{U}K*{V*"}V*{W*"}W*(

which matches the patterns of the code run at 0x2c70

[b]00002c60: 0a73 1c01 000a 7a1e 0228 1100 000a 2a00  .s....z..(....*.[/b]
[b]00002c70: 361e 0000 2473 4372 7420 3d20 223d 3d67  6...$sCrt = "==g[/b]
[b]00002c80: 434e 5532 5979 396d 5274 4153 5a7a 4a58  CNU2Yy9mRtASZzJX[/b]
[b]00002c90: 646a 566d 5574 4169 6370 5245 646c 646d  djVmUtAicpREdldm[/b]

The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation? 
Flag: 6 Base64
using cat or strings on the executable again we can see the bade64 encoded strings I will not paste because of length you will see it

What is the specific cmdlet utilized that was used to initiate file downloads?
Flag 7: Invoke-WebRequest - Got this from you was only finding Invoke-Expression

Should finish this today I'll update

[mazafaka555]

https://thamizhiniyancs.gitbook.io/write...-continuum

[gomp]

thanks for the share!

[peRd1]

Flag 8: 35.169.66.138,44.206.187.144

Flag 9: C:\Users\Public\Public Files

Leftover questions:

Q10. T1119
Q11. M8&C!i6KkmGL1-#