2024 Hack The Boo: Ghostly Persistence

#htb #ctf #forensics #windows #eventlogs #powershell

Challenge Information

AttributeDetails
Event2024 Hack The Boo
CategoryForensics
ChallengeGhostly Persistence

Summary

A suspicious intrusion was detected on a Windows workstation on a quiet Halloween night. The challenge required deep analysis of Windows event logs to uncover evidence of malicious PowerShell script execution and reconstruct a two-part flag hidden within the logs. The flag components were split between different log entries and required Base64 decoding to reveal.

Analysis

Initial Reconnaissance

The challenge provided a directory of Windows Event Viewer log files (.evtx format). Initial analysis focused on identifying larger log files, as they were more likely to contain significant activity.

Key Findings:

  1. A PowerShell script was executed that created a text file named Gh0st.txt in the Windows Temp directory
  2. The suspicious command was Base64 encoded within the event logs
  3. Two parts of the flag were distributed across different log entries

Evidence Discovery

Finding 1: PowerShell Script Execution

A Base64-encoded string was found in the logs:

HRlbXBQYXRoID0gIiRlbnY6d2luZGlyXHRlbXBcR2gwc3QudHh0IgoiSFRCe0doMHN0X0wwYzR0MTBuIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAkdGVtcFBhdGggLUVuY29kaW5nIHV0Zjg=

When decoded, this revealed:

Terminal window
$tempPath = "$env:windir\temp\Gh0st.txt"
"HTB{Gh0st_L0c4t10n" | Out-File -FilePath $tempPath -Encoding utf8

This contained the first part of the flag: HTB{Gh0st_L0c4t10n

Finding 2: Flag Reconstruction

Further analysis using EvtxECmd revealed additional log entries containing the second part of the flag, completing it to: HTB{Gh0st_L0c4t10n_W4s_R3v34l3d}

Solution

Step 1: Parse Event Logs

Used EvtxECmd to convert .evtx files to CSV format for easier searching and filtering:

Terminal window
EvtxECmd.exe -d "Logs" -o "Output" --csv

This generated CSV files containing structured event data that could be sorted and searched.

Step 2: Identify Suspicious Activity

Sorted logs by size and examined larger files first, looking for PowerShell execution events:

Terminal window
EvtxECmd.exe -d "./Logs" --json "./Output/out"

Step 3: Decode Base64 Strings

Identified Base64-encoded strings in the event logs and used CyberChef or command-line tools to decode them:

Base64 Decoded Output:

$tempPath = "$env:windir\temp\Gh0st.txt"
"HTB{Gh0st_L0c4t10n" | Out-File -FilePath $tempPath -Encoding utf8

Step 4: Correlate Evidence

Reconstructed the complete flag by correlating the different parts found across multiple log entries through careful examination of all PowerShell-related events.

Key Takeaways

  • Log Analysis: Windows event logs (.evtx files) contain detailed records of system activity and are critical for forensic investigations
  • EvtxECmd Tool: Specialized tools like EvtxECmd are essential for parsing binary event log files into searchable formats
  • Encoding Detection: Malware often encodes commands using Base64 or other obfuscation techniques; identifying and decoding these is crucial
  • Multi-part Evidence: Flags and artifacts can be split across multiple log sources; thorough correlation is necessary
  • PowerShell Forensics: PowerShell execution events in Windows logs often reveal malicious activity and command history

Tools Used

  • EvtxECmd: Windows event log parser for extracting and converting event data
  • CyberChef: Decoding Base64 strings found in event logs
  • CSV Analysis Tools: For sorting and filtering parsed event data

References