Red Failure

Technical Walkthrough

Writeup

Challenge

• Name: Red-Failure
• Category: Forensics
• Difficulty: Medium
• Mode: file

Summary

The capture shows a staged Windows payload delivery chain. A PowerShell loader

downloads a DInjector assembly and an encrypted shellcode blob, then runs the

blob with currentthread. Reconstructing the HTTP responses, recovering the

loader decryption material, decrypting the DInjector stage, and emulating the

x86 decoder reveals the abandoned persistence command. The flag is the secret

value set for the left-behind local administrator user.

Artifact Inventory

The provided archive extracts to files/extracted/capture.pcap. Local

reassembly recovered three HTTP objects under analysis/extracted-http/:

• 4A7xH.ps1: obfuscated PowerShell loader.
• user32.dll: .NET DInjector assembly loaded reflectively by the script.
• 9tVI0: encrypted shellcode stage.

Analysis

analysis/pcap/http-ascii.txt and the reproducible extractor in

solve/solve.py show the HTTP transfer sequence from <TARGET>:80.

The loader constructs a command equivalent to a DInjector currentthread

execution path, with /sc pointing to /9tVI0, /dll set to

msvcp_win.dll, and decryption material assembled from string fragments.

Direct-source review of analysis/research/dinjector-encrypt.py matched the

local behavior: the encrypted stage is IV-prefixed AES-CBC using a SHA-256 hash

of the loader-supplied secret and PKCS7 padding. Decrypting 9tVI0 with the

recovered material produced an x86 encoded payload.

The first stage is an additive-XOR self-modifying decoder. It starts with a

mov esi, imm32 key, uses the 0x48 loop count, decodes from offset 0x19,

and turns the first decoded dword into a loop instruction. After 72 dwords are

decoded, the resulting stage contains the persistence command. The safe

redacted output is stored at analysis/extracted-http/9tVI0.stage2.redacted.txt.

The raw decoded shellcode is kept only in loot/.

Solve

Run:

python3 Forensics/Red-Failure/solve/solve.py

The script:

1. Parses the classic little-endian PCAP and reassembles TCP streams.
2. Extracts HTTP response bodies into analysis/extracted-http/.
3. Recovers the DInjector decryption material from the PowerShell loader.
4. Decrypts 9tVI0 as IV-prefixed AES-CBC.
5. Emulates the x86 decoder loop and searches the decoded stage for the flag.
6. Writes the candidate to loot/flag-candidate.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For staged payload PCAPs, reconstruct the loader command before carving the

second stage; the command often contains the decryption material.

• DInjector payloads can be validated from the loader arguments plus the

upstream encryptor format before attempting deeper shellcode analysis.

• Keep decoded shellcode that contains embedded flags under loot/, and store

only redacted views under analysis/.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Red-Failure
• Category: Forensics
• Difficulty: Medium
• Mode: file
• Remote instance: none
• Start time: 2026-06-13T08:17:40Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The PCAP contained three HTTP-delivered artifacts from <TARGET>:80: a PowerShell loader (4A7xH.ps1), a .NET DInjector DLL (user32.dll), and an encrypted stage (9tVI0).
• The PowerShell loader builds a DInjector currentthread command, recovers the stage decryption material through string formatting, downloads user32.dll, and invokes DInjector.Detonator.Boom.
• Direct-source review of DInjector's encrypt.py matched the local artifact behavior: the stage is IV-prefixed AES-CBC using a SHA-256 hash of the loader-supplied secret and PKCS7-padded shellcode.
• AES-CBC decryption produced an x86 encoded payload. The decoder stub self-modifies offset 0x19 into a loop instruction and decodes 72 dwords through the end of the shellcode.
• The decoded stage contains the leftover persistence command: create a local user, set its secret value to the flag, and add that user to the local administrators group.
• Raw decoded shellcode and raw flag material are stored only under loot/; analysis/extracted-http/9tVI0.stage2.redacted.txt contains the safe redacted view.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Forensics
• Challenge: Red-Failure
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Reassemble HTTP responses from the PCAP to recover the PowerShell loader, DInjector assembly, and encrypted stage.
2. Deobfuscate the loader enough to recover the DInjector command and decryption material.
3. Use the DInjector encryptor format as advisory support: IV-prefixed AES-CBC with a SHA-256-derived key and PKCS7 padding.
4. Decrypt the stage, then emulate the x86 additive-XOR self-modifying decoder loop.
5. Inspect the decoded stage for the persistence command; the flag is embedded as the secret value used in that command.

Reusable Lessons

• Forensics payload captures often require chaining packet reconstruction, script deobfuscation, tool-format validation, and shellcode decoding.
• DInjector-style encrypted stages should be checked for IV-prefixed AES-CBC when a loader supplies decryption material through /password or /p.
• Shikata/SGN-style shellcode may decode by modifying the loop instruction itself; emulate the decoder loop instead of relying only on static strings.
• Store raw decoded shellcode under loot/ if it contains flag material; keep redacted decoded views in analysis/.

Dead Ends

• Direct strings on the encrypted stage and first decrypted stage did not expose the flag.
• Treating 9tVI0 as the file-reported OpenPGP public key type was misleading; the local loader and DInjector context showed it was encrypted shellcode.

Tool Quirks

• The local macOS environment lacked tshark, binwalk, exiftool, native .NET tooling, and a raw x86 disassembler.
• A short local Capstone virtualenv was used for confirmation, then removed. The final solve script does not require Capstone.
• tcpdump, Python PCAP parsing, and Python cryptography were sufficient for the final reproducible solve.

Evidence Paths

• analysis/pcap/http-ascii.txt
• analysis/extracted-http/4A7xH.ps1
• analysis/extracted-http/user32.dll
• analysis/extracted-http/9tVI0
• analysis/extracted-http/9tVI0.decrypted.bin
• analysis/extracted-http/9tVI0.stage2.redacted.txt
• analysis/research/dinjector-encrypt.py
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches