Transformers #1
In this challenge, we are given an .iso
file. We need to find the file extension of the malicious program and its sha256
. To be able to read it easily, I’ve put this .iso
in a windows VM. Now you just have to right click on it and mount it. Once this is done, you should see the following window that pops up:
For me the malicious program was the .bat
file present in the dev
folder that will download the virus on the machine but for the organizers the malicious file was the Document
link that executes the .bat
file:
To get the SHA-256
we can either mount the file on Linux or copy it to our host to get the sha256sum
or we can use the Get-FileHash
Powershell command:
And so the flag is : HERO{lnk;c3bb38b34c7dfbb1e9e9d588d77f32505184c79cd3628a70ee6df6061e128f3e}
Transformer #2
For this chall, we need to get more information about the malicious file. We can drop the previously found SHA-256
on VirusTotal
and get a bunch of information. If we go to the Community
section, we get the name of the dropper:
Now to know what is the domain requested, we have two option. Either we understand what the .bat
files does or we use VirusTotal
.
Finding the domain by hand
If we echo the command instead of executing it, we could understand what they are doing:
Now, if we run this, we get the command executed printed out:
Finally we can base64
decode the last string:
And voilà… We have the domain meeronixt.com
.
Finding the domain with VirusTotal
Using VirusTotal
, we can use a cool functionality available in the Relation
section, the Graph Summary
:
Note that here we are working with the hash of the
.bat
file. Not the.lnk
one.
When we click on the graph, we are redirected to another interface and we can manipulate it easily :
And here, we see clearly that it contacts a domain, and if we click on it:
And so, the flag is: HERO{BUMBLEBEE;meeronixt.com}