=

REMnux: Getting Started | TryHackMe writeup / walkthrough

Task 1 - Introduction

^

Q1. Proceed with the next tasks to learn more!

No Answer Needed

Task 2 - Machine Access

^

Q1. I'm excited to learn more about the tools inside the REMnux VM!

Click on Start machine, It will start a instance in split screen.

No Answer Needed

Task 3 - File Analysis

^

Q1. What Python tool analyzes OLE2 files, commonly called Structured Storage or Compound File Binary Format?

We can use oledump.py tool analyzes OLE2 files, commonly called Structured Storage or Compound File Binary Format?

Answer šŸ‘‰ oledump.py

Q2. What tool parameter we used in this task allows you to select a particular data stream of the file we are using it with?

  • We can use -h to get all the helpful information for oledump.py. Syntax - oledump.py -h
  • We can easily find which parameter should we use to list out data streams.

Answer šŸ‘‰ -s

Q3. During our analysis, we were able to decode a PowerShell script. What command is commonly used for downloading files from the internet?

  • We have to run the oledump.py tool on a file agenttelsa.xlsm, which is in /home/ubuntu/Desktop/tasks/agenttesla/ directory.
  • Run the command on the given file. possible syntax - oledump.py agenttelsa.xlsm
  • Output looks similar like :
oledump example
  • On stream number 4 (A4), we can see a M indicator which indicates that there is a VBA Macro with Code.
  • Let's dump the item which is in stream no. 4 . oledump.py agenttelsa.xlsm -s 4
oledump hexdump output
  • In above output you can see some suspicious items in the last.
  • Let's decompress it using --vbadecompress attribute.
oledump decompressed vba output
  • You can see that some suspicious data is getting stored into a sqtnew variable.
  • Let's use the cyberchef tool to remove the unnecessary symbols.
  • You can use any tool to remove these symbols. If you are using cyberchef then just add find/replace recipe. (do not forgot to select simple string)
cyberchef find/replace recipe
  • There is PowerShell script which is used to download a file, save it and start a new process with it.

Answer šŸ‘‰ Invoke-WebRequest

Q4. What file was being downloaded using the PowerShell script?

In above PowerShell script you can see that which file is being downloaded.

Answer šŸ‘‰ Doc-3737122pdf.exe

Q5. During our analysis of the PowerShell script, we noted that a file would be downloaded. Where will the file being downloaded be stored?

-OutFile tells that where to store the download file.

Answer šŸ‘‰ $TempFile

Q6. Using the tool, scan another file named possible_malicious.docx located in the /home/ubuntu/Desktop/tasks/agenttesla/ directory. How many data streams were presented for this file?

  • Now it's time to run oledump.py on another given file.
oledump.py output

Answer šŸ‘‰ 16

Q7. Using the tool, scan another file named possible_malicious.docx located in the /home/ubuntu/Desktop/tasks/agenttesla/ directory. At what data stream number does the tool indicate a macro present?

M indicator is used represent the stream that contains a macro code. Find out ...

oledump.py output

Answer šŸ‘‰ 8

Task 4 - Fake Network to Aid Analysis

^
  • For this task we have to setup a internet simulator.
  • Start the attackbox.
  • Change the line #dns_default_ip 0.0.0.0 to dns_default_ip MACHINE_IP(replace the MACHINE_IP) in /etc/inetsim/inetsim.conf file.
  • Run the inetsim. sudo inetsim
running inetsim
  • Now in your remnux machine , try to download the file using sudo wget https://MACHINE_IP/second_payload.zip --no-check-certificate
simulated file downloaded

Q1. Download and scan the file named flag.txt from the terminal using the command sudo wget https://10.10.252.164/flag.txt --no-check-certificate. What is the flag?

Read the downloaded file to get the flag.

tryhackme ctf flag

Answer šŸ‘‰ Tryhackme{remnux_edition}

Q2. After stopping the inetsim, read the generated report. Based on the report, what URL Method was used to get the file flag.txt?

Use the ctrl+c to stop the simulator. It will store the report and give you the path in the output.

inet simulator report location

Read the report to get some additonal information.

inet simulator report

Answer šŸ‘‰ GET

Task 5 - Memory Investigation: Evidence Preprocessing

^

In this section we are going to perform memory analysis using the tool volatility3. Use the command vol3 -h to get some helpful informations for using the tool.

Q1. What plugin lists processes in a tree based on their parent process ID?

Answer šŸ‘‰ PsTree

Q2. What plugin is used to list all currently active processes in the machine?

Answer šŸ‘‰ PsList

Q3. What Linux utility tool can extract the ASCII, 16-bit little-endian, and 16-bit big-endian strings?

Answer šŸ‘‰ strings

Q4. By running vol3 with the Malfind parameter, what is the first (1st) process identified suspected of having an injected code?

Run the volatility3 tool with windows.malfind plugin to list out all possible bad functionalities.

volatility windows malfind

Answer šŸ‘‰ csrss.exe

Q5. Continuing from the previous question (Question 6), what is the second (2nd) process identified suspected of having an injected code?

Do a little bit scroll to get another one.

volatility windows malfind

Answer šŸ‘‰ winlogon.exe

Q6. By running vol3 with the DllList parameter, what is the file path or directory of the binary @WanaDecryptor@.exe?

  • First use the dlllist plugin to get a list of used dlls.
  • Pipe the output to grep and search for the given binary name.
grepping the binary from dlllist

Answer šŸ‘‰ C:Intelivecuqmanpnirkt615

Task 6 - Conclusion

^

Q1. Fantastic room indeed!

No Answer Needed