Try Hack Me
  • Try Hack Me
  • Rooms
  • Tutorial
    • Welcome to TryHackMe
    • Welcome
    • Tutorial
    • Starting Out In Cyber Sec
    • Welcome
  • Capture The Flag
    • Advent of Cyber
      • Task 1 - 10
      • Task 11 - 20
      • Task 21 - 29
      • PDF - materials
    • Anonymous
    • Mnemonic
    • Bounty Hacker
    • Ignite
    • Pickle Rick
    • Simple CTF
    • Agent Sudo
    • Mr. Robot
  • Advent of Cyber II
    • A Christmas Crisis
    • The Elf Strikes Back!
    • Christmas Chaos
    • Santa's watching
    • Someone stole Santa's gift list!
    • Be careful with what you wish on a Christmas night
    • The Grinch Really Did Steal Christmas
    • What's Under the Christmas Tree?
    • Anyone can be Santa!
    • Don't be sElfish!
    • The Rogue Gnome
    • Ready, set, elf.
    • Coal for Christmas
    • Where's Rudolph?
    • There's a Python in my stocking!
    • Help! Where is Santa?
    • ReverseELFneering
    • The Bits of Christmas
    • The Naughty or Nice List
    • PowershELlF to the rescue
    • Time for some ELForensics
    • Elf McEager becomes CyberElf
    • The Grinch strikes again!
    • The Trial Before Christmas
    • Thank You
  • Linux
    • Linux Fundamentals Part 1
    • Linux Fundamentals Part 2
    • Linux Fundamentals Part 3
    • LinuxCTF - Linux Challenges
    • Learn Linux - wip
    • Find - wip
  • Windows
    • Intro to Windows
  • OSINT
    • Introductory Researching - wip
    • Google Dorking
    • OhSINT
    • Sublist3r
    • Searchlight - IMINT
    • Geolocating Images
  • Crypto
    • Hashing - Crypto 101
    • Encryption - Crypto 101
    • CrackTheHash - wip
  • Network
    • Introductory Networking
    • Nmap
    • Network Services - wip
    • Network Services 2 - wip
    • Networking - wip
    • Nmap - wip
    • TOR
  • Web
    • Web Fundamentals
  • Pentest
    • Pentest questionaire
  • Hardware
    • Dumping Router Firmware
  • HELP
  • Reverse
    • Reversing ELF
Powered by GitBook
On this page
  • Video
  • Resources
  • Challenge
  • Read the contents of the text file within the Documents folder. What is the file hash for db.exe?
  • What is the file hash of the mysterious executable within the Documents folder?
  • Using Strings find the hidden flag within the executable?
  • What is the flag that is displayed when you run the database connector file?

Was this helpful?

  1. Advent of Cyber II

Time for some ELForensics

Forensics

PreviousPowershELlF to the rescueNextElf McEager becomes CyberElf

Last updated 4 years ago

Was this helpful?

Video

Resources

With PowerShell, we can obtain the hash of a file by running the following command: Get-FileHash -Algorithm MD5 file.txt

Another tool you can use to inspect within a binary file (.exe) is Strings.exe

The command to run for the Strings tool to scan the mysterious executable: c:\Tools\strings64.exe -accepteula file.exe

The command to view ADS using Powershell: Get-Item -Path file.exe -Stream *

The command to run to launch the hidden executable hiding within ADS: wmic process call create $(Resolve-Path file.exe:streamname)

Challenge

Read the contents of the text file within the Documents folder. What is the file hash for db.exe?

PS C:\Users\littlehelper> cd .\Documents\
PS C:\Users\littlehelper\Documents> dir
PS C:\Users\littlehelper\Documents> cat '.\db file hash.txt'

596690FFC54AB6101932856E6A78E3A1

What is the file hash of the mysterious executable within the Documents folder?

PS C:\Users\littlehelper\Documents> Get-FileHash -Algorithm MD5 deebee.exe

5F037501FB542AD2D9B06EB12AED09F0

Using Strings find the hidden flag within the executable?

PS C:\Users\littlehelper\Documents> c:\Tools\strings64.exe -accepteula .\deebee.exe

THM{f6187e6cbeb1214139ef313e108cb6f9}

What is the flag that is displayed when you run the database connector file?

Get-Item -Path file.exe -Stream *
PS C:\Users\littlehelper\Documents> wmic process call create $(Resolve-Path .\deebee.exe:hidedb)

THM{088731ddc7b9fdeccaed982b07c297c}