Advent Of Cyber Day 23 (The Grinch Strikes back)

Thatquietkid
3 min readDec 23, 2020

So Let’s get straight to the point.

Open Remmina and do a few changes as shown in the task .

Now we see a ransomNote file on the Desktop .After opening it, we see this

The bitcoin address is encrypted in base64 (I know because of the last two == signs)

After decrypting it in cyberchef,

So, now we know the answer to Question 1.

Now , I went to the file explorer ,then the Documents and I see two folders there

  1. db
  2. Vstockings

I went to the Vstockings folder and found files (3) elf1,elf2,elf3 and inside these I found

So, here is the answer to the 2nd Question.

Now, going to the task scheduler , I see two tasks in the library

So, here Is the answer to 3rd Question(name of the suspicious scheduled task?) .

Now after clicking on opidsfsdf.exe , and seeing the triggers , i see “At log on”

and as our 4th Question was find the location of executable (.exe ) run at login.

Now , i clicked Actions and saw the location of the file.

So, we have answered 4 Questions now.

Now Let’s see the ShadowCop.. task

Now, we see It’s Id and we have answered the 5th Question as well.

Now Let’s find the hidden folder .

I opened the command prompt and typed “powershell” (as we all are using it from the last few tasks so )

Now, i went to the location of Documents and typed “Get-child-item -hidden”

Now , we see the hidden folder and that answers the 6th Question.

Now let’s cd into that folder and see if there is any hidden file and i saw a master-password.txt and let’s “cat”( command for displaying the content) the file.

And now we have answered the 7th(last) Question andcompleted Today’s task .

U can also do Q6,7 from file explorer but i prefer terminal .

Thankyou for watching my writeup and have a nice day.

--

--