suspicious hackfest

Desc: suspicious 👀 ? Link Challange: https://mega.nz/file/f4N0wAIZ#jwp9SVFYQlxPnsJFiu47MY9SPkAPpi8NQ3fbcbUgVc0 password: palaKAU5889OzxY_AA author: wisnuaz

0 solves.

memory dump as always do filescan,pstree. because in this flag format is hackfest{hashapp_created date_pid}. we can assume that this running proccess ans using pstree to show proccess active tree like task manager and this the results :

Name Pid PPid Thds Hnds Time

-------------------------------------------------- ------ ------ ------ ------ ----

0x8a603830:System 4 0 65 1003 1970-01-01 00:00:00 UTC+0000

. 0x8a4a23a0:smss.exe 876 4 2 26 2012-04-06 19:01:45 UTC+0000

.. 0x8a161910:csrss.exe 3884 876 0 ------ 2012-04-06 19:05:25 UTC+0000

.. 0x89946cf8:csrss.exe 976 876 12 536 2012-04-06 19:01:48 UTC+0000

.. 0x8a3b09e8:csrss.exe 1892 876 9 78 2012-04-06 19:06:41 UTC+0000

.. 0x8a161da0:winlogon.exe 1000 876 20 557 2012-04-06 19:01:49 UTC+0000

... 0x8a15f890:services.exe 1044 1000 16 303 2012-04-06 19:01:49 UTC+0000

.... 0x8a11f7e0:alg.exe 2184 1044 6 105 2012-04-06 19:02:11 UTC+0000

.... 0x8a4df380:svchost.exe 1936 1044 4 108 2012-04-06 19:01:58 UTC+0000

.... 0x8a140b98:FrameworkServic 644 1044 29 486 2012-04-06 19:01:59 UTC+0000

..... 0x8a057da0:UdaterUI.exe 2920 644 5 110 2012-04-06 19:07:04 UTC+0000

...... 0x8a11a020:McTray.exe 3092 2920 22 274 2012-04-06 19:07:11 UTC+0000

.... 0x8a076a08:VMwareService.e 1680 1044 3 170 2012-04-06 19:02:05 UTC+0000

.... 0x8a0d4ba0:svchost.exe 1308 1044 9 275 2012-04-06 19:01:51 UTC+0000

.... 0x898acab8:f-response-ent. 3756 1044 6 59 2012-04-06 20:07:32 UTC+0000

.... 0x8a4bba08:vmacthlp.exe 1220 1044 1 25 2012-04-06 19:01:50 UTC+0000

.... 0x8a06f718:mfefire.exe 296 1044 5 169 2012-04-06 19:02:08 UTC+0000

.... 0x898eb6a8:VMUpgradeHelper 428 1044 3 95 2012-04-06 19:02:08 UTC+0000

.... 0x8994a380:spoolsv.exe 1844 1044 10 127 2012-04-06 19:01:52 UTC+0000

.... 0x898ee538:mcshield.exe 1988 1044 25 287 2012-04-06 19:02:06 UTC+0000

.... 0x8a35da10:svchost.exe 1472 1044 63 1323 2012-04-06 19:01:51 UTC+0000

.... 0x8a3f9570:jqs.exe 416 1044 5 116 2012-04-06 19:01:59 UTC+0000

.... 0x8a0a8da0:svchost.exe 1732 1044 13 170 2012-04-06 19:01:52 UTC+0000

.... 0x8a478558:McSACore.exe 456 1044 9 199 2012-04-06 19:01:59 UTC+0000

.... 0x8a35c3f0:svchost.exe 1236 1044 22 247 2012-04-06 19:01:50 UTC+0000

..... 0x8a292570:naPrdMgr.exe 1424 1236 8 255 2012-04-06 19:02:05 UTC+0000

.... 0x89933998:FireSvc.exe 2012 1044 18 268 2012-04-06 19:01:58 UTC+0000

..... 0x8a14cda0:FireTray.exe 704 2012 0 ------ 2012-04-06 19:01:59 UTC+0000

.... 0x8a367c08:svchost.exe 1636 1044 4 76 2012-04-06 19:01:51 UTC+0000

.... 0x8a3e16b0:mfevtps.exe 1260 1044 5 139 2012-04-06 19:02:03 UTC+0000

.... 0x8a223da0:VsTskMgr.exe 764 1044 17 142 2012-04-06 19:01:59 UTC+0000

..... 0x8a174638:mfeann.exe 1268 764 11 161 2012-04-06 19:02:03 UTC+0000

... 0x8a1ef978:lsass.exe 1056 1000 22 427 2012-04-06 19:01:49 UTC+0000

... 0x897909e0:rdpclip.exe 2284 1000 4 89 2012-04-06 19:06:44 UTC+0000

.. 0x8a125600:winlogon.exe 788 876 9 148 2012-04-06 19:06:41 UTC+0000

... 0x897ea1b8:logon.scr 3364 788 1 16 2012-04-06 19:16:27 UTC+0000

0x897ae020:explorer.exe 1900 2436 11 320 2012-04-06 19:06:47 UTC+0000

. 0x898da948:VMwareUser.exe 2992 1900 3 51 2012-04-06 19:07:07 UTC+0000

. 0x8a4dd898:VMwareTray.exe 2924 1900 1 27 2012-04-06 19:07:05 UTC+0000

. 0x8a0135f0:svchost.exe 3296 1900 4 268 2012-04-06 19:07:16 UTC+0000

. 0x8a23f918:jusched.exe 3268 1900 4 256 2012-04-06 19:07:16 UTC+0000

command : volatility2 -f file.raw --profile=WinXPSP2x86 procdump -D output_dump_files -p 3296 to dump the proccess of suspicious svchost

we can see of the ppid of the svchost.exe is belong to explorer.exe. that is very suspicous. althrough this svchost must be belong to service.exe. we dump the svchost that runing pid 3296 and upload to virustotal to get hash and creation date.

flag : hackfest{f557690151588a2cc4219d697e1a626c6cb1948ccf41a2b27504d8cb653ba613_2011-11-19 03:01:45 UTC_3296}

Pasted image 20240318184634.png