Good Afternoon everyone,
With my A/C not fixed but working again today, let’s get after it. The tasks looks like it deals with the various Alternate Data Streams files can have. I’ve only dealt with this once I can think of and that was a HackTheBox machine. Should be a good refresher. Today’s intro:
“One of the ‘little helpers’ logged into his workstation only to realize that the database connector file has been replaced, and he can’t find the naughty list anymore. Furthermore, upon executing the database connector file, a taunting message was displayed, hinting that the file was moved to another location.
McEager has been notified, and he will put the pieces together to find the database connector file.”
Question 1: Read the contents of the text file within the Documents folder. What is the file hash for db.exe?
Should be easy enough. Just need to Get-Contents the file..
Question 2: What is the file hash of the mysterious executable within the Documents folder?
Once again, not too bad, simple command.
Get-FileHash -Algorithm MD5 .\deebee.exe
Question 3: Using Strings find the hidden flag within the executable?
Using strings was simple enough, was able to scan through the data quickly enough to find the flag and also a note saying our database connector file has been moved and we can’t query the naughty list anymore. We will save that part for question 4.
C:\Tools\strings64.exe -accepteula .\deebee.exe
Question 4: What is the flag that is displayed when you run the database connector file?
First we can locate the different streams with this
PS C:\Users\littlehelper\Documents> Get-Item -Path .\deebee.exe -Stream *
We now can guess the hidedb is the stream we are looking for. Now to access this stream with wmic.
PS C:\Users\littlehelper\Documents> wmic process call create $(Resolve-Path .\deebee.exe:hidedb)
Anyway, from here we are presented with a simple DB style selection window with the flag. As usual, I’ll leave that part up to you so I don’t ruin all of the fun.
As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.
Until next time,