Hack-The-Boo-2024 Practice CTF: The Shortcut Haunting Write-up

Investigating the hidden dangers of Windows shortcut files with in-depth analysis of the 'trick or treat.lnk' file. Discovering how attackers use .lnk files to launch malicious PowerShell commands, obfuscate payloads, and compromise systems. This challenge writeup includes a hex dump breakdown and decryption insights, ideal for cryptography enthusiasts.

Preston Zen

I’m Preston Zen, CEO of Kaizen Apps, crafting innovative software solutions with a focus on AI and modern development. On PrestonZen.com, I share personal insights, tech projects, and travel stories. My YouTube channel features tutorials and behind-the-scenes content. For a creative twist, explore my mead-making journey at MadMead Club. Join me in building, exploring, and innovating!

Hack-The-Boo-2024 Practice CTF: The Shortcut Haunting Write-up

🫣

Introduction

In this challenge, I investigated a suspicious Windows shortcut file named trick or treat.lnk.

An image to describe post

A .lnk file, also known as a Windows Shortcut file, is a file that points to another file, folder, or application on a Windows system.

An image to describe post

These files provide quick access to resources without needing to navigate to the original location. Shortcut files can be used by attackers to execute malicious commands or scripts under the guise of legitimate files. A hex dump analysis of the file reveals critical details about its functionality and intent.

Process

The first step in our analysis was to examine the file using hexdump -C. The output provided insight into the structure and contents of the shortcut file. Below are some key observations from the hex dump:

An image to describe post

File Path and Command Execution:
- The hex dump reveals references to the Windows PowerShell executable:
  |...........V.1..| |.........Windows| |PowerShell.T....|
- This suggests that the shortcut is likely designed to invoke PowerShell, potentially to execute a series of commands without user consent.
Command Breakdown:
- Further down in the dump, we find a command that appears to manipulate string data:
  
  |..powerShell.exe..N....|
- The command structure is indicative of malicious intent. It includes options that suggest the command may execute scripts or retrieve data:
  
  |.... -NoExit -Command "$fko = '...'
Strings and Payload:
- The dump contains a series of strings, including what appears to be an encoded payload:
  
  |..From.Base64String('$fk...')...|
- This suggests that the shortcut may be designed to execute a command that retrieves data encoded in Base64, which is a common technique used to obfuscate malicious payloads.
Execution Context:

There are indications that the command executed may change the working directory and involve further calls to external executables:

|..Invoke-Expression -Command $d|

This is a risky operation as it allows the execution of dynamically generated commands, which could lead to further system compromise or data exfiltration.

Then for more insights in a well formatted way I used the exiftool

I used the command -

exiftool trick_or_treat.lnk

An image to describe post

Hmm, interesting command line arguments. I dumped it in cyberchef to decode from ASCII Base64 back to its raw data.

An image to describe post

Conclusion

The trick or treat.lnk file serves as a prime example of how attackers can exploit Windows shortcut files to execute malicious commands. The hex dump analysis indicates that this file attempts to leverage PowerShell to run potentially harmful scripts, including the execution of commands derived from obfuscated strings.

HTB{tr1ck_0r_tr34t_g03s_wr0ng}

DEL

Hack-The-Boo-2024 Practice CTF: The Shortcut Haunting Write-up

Introduction

Process

Conclusion

Hack-The-Boo-2024 Practice CTF: Sugar Free Candies Write-up

Hack-The-Boo-2024 Practice: Sekur Julius Writeup

TryHackMe - Practical Example of OS Security Writeup

Hack The Box - Fawn

OffSec - BillyBoss

TryHackMe - Blue - Oct 29th 2023