top of page
  • BlueDolphin

Hack the Box - Forensics - Red Miners


In the race for Vitalium on Mars, the villainous Board of Arodor resorted to desperate measures, needing funds for their mining attempts. They devised a botnet specifically crafted to mine cryptocurrency covertly. We stumbled upon a sample of Arodor's miner's installer on our server. Recognizing the gravity of the situation, we launched a thorough investigation. With you as its leader, you need to unravel the inner workings of the installation mechanism. The discovery served as a turning point, revealing the extent of Arodor's desperation. However, the battle for Vitalium continued, urging us to remain vigilant and adapt our cyber defenses to counter future threats.

Solution Summary
  1. Script analyses

  2. Extract base 64 strings

  3. Reconstruct flag

  • N/A

1) Script analyses

Script Analyses Summary

The script appears to be looking for IOC's related to crypto mining and attempts to remediate them. We see for example that the script checks for services, log files, and network connections related to crypto mining and then attempts to stop the processes, delete the logfiles, and close network connections.

We start by reviewing the provided challenge file ""

Initially when I saw the file name and skimmed through the file I felt like this might be related to a IAC (infrastructure as code) platform such as ansible, puppet, terraform and so on. But I quickly realized this script was actually enumerating the system for IOC's related to crypto mining in attempts to remediate these related IOC's.

The function "clean environment" caught my attention as it was removing files and changing permissions. This includes sensitive folders like the root users ssh key.

The following part of the script is now looking for specifics within the crontab.

In this area, we see the script is checking for processes related to crypto mining.

We continue to see the script is attempting to check processes related to crypto mining and kill the processes.

From here we see attempts to clean up log files related to crypto mining services which were identified by googling the IOC's found below.

2) Extract base64 strings

Part 1 of the string was identified as base64 encoded characters as seen in the below part of the script.

Part 2 was also a base 64 encoded string.

Part 3 was yet another base64 encoded string.

Part 4 was finally another base64 encoded string.

3) Reconstruct flag

44 views0 comments

Recent Posts

See All


bottom of page