Day 21 (Task 26) Time for some ELForensics – Advent of Cyber 2 TryHackMe

Today we will be doing some ELForensics.  It looks like someone replaced the database connector and the naughty list is gone!

Now let’s log into the machine.  Enter remmina into your terminal, this will open the remote desktop client, then enter your IP address, hit enter, and his accept certificate. Remember to fix the resolution as well, shown in the picture below.

First connect to the machine using remote desktop with the username of littlehelper and the password of iLove5now!

We can use PowerShell to get hashes of files using Get-FileHash -Algorithm MD5 file.txt.

We can use a tool called strings64.exe to get the strings within a file.  This can give us hints to various information about files.  For this exercise we will use C:\Tools\strings64.exe -accepteula file.txt

If we want to view Alternate Data Streams using PoweShell we can use Get-Item -Path file.txt -Stream *

When executing alternate data stream we can use wmic by running wmic process call create $(Resolve-Path file.txt:streamname)

First we need to get the hash for db.exe within the documents file.

cd .\Documents

Get-ChildItem

Get-Content “db file hash.txt”

Since there are spaces in the file we need to wrap it in double quotes.

Now we need to check the hash of the deebee executable.

Get-FileHash -Algorithm MD5 deebee.exe

Now we need to run strings against the deebee.exe file.  We can use Select-String to narrow down the flag since we know there is an Open Backet ({) in the flag.

C:\Tools\strings64.exe -accepteula deebee.exe | Select-Strings “{“

Now we need to run the executable, but it doesn’t work since the database connector is wrong.  Let’s get some information about the executable.

Get-Item -Path deebee.exe -Stream *

We can use wmic process call create to open up the program with the hidedb stream.

wmic process call create $(Resolve-Path deebee.exe:hidedb

That wraps up today’s task!  Always be on the lookout for Alternative Data Streams!