2024 Business CTF - Vault of Hope: Caving

#htb #ctf #forensics #windows #powershell #incident-response

Challenge Information

AttributeDetails
Event2024 Business CTF - Vault of Hope
CategoryForensics
ChallengeCaving
DifficultyMedium

Summary

The Caving challenge involves Windows forensics analysis of PowerShell execution logs and Windows Event Viewer data. Participants must analyze obfuscated PowerShell scripts, Windows security logs, and system artifacts to identify intrusion indicators and extract the flag from hidden malicious code. The challenge demonstrates how sophisticated PowerShell-based attacks can be detected through careful log analysis.

Analysis

Key Artifacts Provided:

  1. PowerShell Operational Logs: Event ID 4104 containing script block execution details
  2. Process Execution Events: Tracking PowerShell.exe and other process execution
  3. Logon Events: User authentication records
  4. Object Access Events: File and resource access patterns
  5. CSV Files: Processed event data with SIDs, timestamps, and event details

Malicious PowerShell Script Analysis:

The obfuscated PowerShell script from Event ID 4104 contains:

Terminal window
$Radiation='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0'
$Fallout='User-Agent'
$Nuke='Cookie'
$Contamination='http://heist.htb/Exposure/plan.jpg'
$Meltdown='>'
$Reactor='iex'
$Evacuation='Databasesprogs'

The script attempts to:

  1. Create a file at C:\Outyelps.txt with value “Databasesprogs”
  2. Download a file from http://heist.htb/Exposure/plan.jpg
  3. Execute the downloaded content with custom headers
  4. Base64 decode the retrieved data
  5. Execute a substring of the decoded data starting at offset 337248 with length 30277

The suspicious Cookie header contains Base64-encoded data:

f=SFRCezFudHJ1UzEwbl9kM3QzY3QzZF8hISF9

Solution

Step 1: Run APT-Hunter for Comprehensive Analysis

Use the APT-Hunter tool to analyze logs and identify threats:

Terminal window
./APT-Hunter.exe -p Logs -o Caving -allreport

This generates a full report of all events with threat assessment.

Step 2: Hunt for Suspicious Patterns

Search for IP addresses and potential flags:

Terminal window
./APT-Hunter.exe --path Logs --out caving_patterns -allreport -logon \
  --hunt "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" \
  --hunt "HTB\{.*\}"

Step 3: Search for Base64 Encoded Strings

Identify encoded malicious payloads:

Terminal window
./APT-Hunter.exe --path Logs --out caving_patterns -allreport -logon \
  --hunt "\b(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\b"

Step 4: Locate PowerShell Execution

Look for Event ID 4104 (PowerShell Script Block Logging) in the analysis results. The malicious script block contains the obfuscated attack code.

Step 5: Decode the Base64 Data

The Cookie header contains Base64-encoded text:

SFRCezFudHJ1UzEwbl9kM3QzY3QzZF8hISF9

Decode it:

Terminal window
echo "SFRCezFudHJ1UzEwbl9kM3QzY3QzZF8hISF9" | base64 -d

Result:

HTB{1ntruS10n_d3t3ct3d_!!!}

Flag

HTB{1ntruS10n_d3t3ct3d_!!!}

Key Takeaways

  • Windows PowerShell logs (Event ID 4104) capture script block content, including obfuscated malware
  • Obfuscation techniques use variable names with thematic naming (“Radiation”, “Contamination”, etc.)
  • Base64 encoding is commonly used to hide payloads in HTTP headers and script data
  • APT-Hunter tool efficiently aggregates and categorizes security events
  • File download attempts to heist.htb indicate command-and-control communication
  • Suspicious file creation patterns (C:\Outyelps.txt) are forensic indicators
  • Multi-stage payloads (downloaded scripts with offset extraction) require careful analysis
  • Regular expression hunting for Base64 patterns reveals hidden encoded data
  • Windows Event Viewer provides comprehensive logging of attack chains when properly configured