Hosted Hypervisors TryHackMe Walkthrough | Writeup | SuNnY

Introduction :

Hosted hypervisors, also known as Type 2 hypervisors, are a key technology in virtualization, allowing multiple operating systems to run concurrently on a single physical machine. Unlike Type 1 hypervisors, which run directly on the hardware, hosted hypervisors operate on top of an existing operating system, leveraging its resources and services.

Kudos To the Creators :

Room Type :

Free Room
Anyone can deploy virtual machines in the room (without being subscribed)!

Task 1 : Introduction

Learning Objectives

• Detect the presence of a Hypervisor on a Host
• Analyze a VirtualBox-hosted Hypervisor
• Analyze a VMware-hosted Hypervisor

Task 2 : Environment & Setup

Credentials for the Task 2 is provided above if you are using your own VM .

Task 3 : Networking & Memory Investigations

First let’s start Powershell and change the directory to volatility →

After firing up PowerShell , changing directory to volatility3

Now let’s run this command →

python vol.py -f ..\memdump.mem windows.pstree

What will this command do ?

Running this command will analyze the memory dump (memdump.mem) and produce a process tree that shows the hierarchy of processes running on the Windows system from which the memory dump was taken. This can be helpful in identifying suspicious processes or understanding the state of the system at the time the memory dump was captured.

Command Breakdown →

Components:

python vol.py:

• This runs the vol.py script using Python. vol.py is the main executable script for Volatility.

-f ..\memdump.mem:

• The -f flag specifies the file to analyze. In this case, it points to ..\memdump.mem, which is a memory dump file located in the parent directory of the current working directory.

windows.pstree:

• This is a Volatility plugin that generates a process tree (pstree). It shows a hierarchical view of the processes running in the system when the memory dump was taken. The plugin can be used to identify parent-child relationships among processes, which is useful for spotting unusual or malicious activity.

The next command to be Run :

python vol.py -f ../memdump.mem windows.netstat

What does this command do ?

This command analyzes the memory dump (memdump.mem) and lists all network connections, listening ports, and associated processes that were active or in use on the Windows system at the time the memory dump was captured. It's useful for investigating potential network-related malicious activity, such as hidden backdoors or communication with suspicious IP addresses.

python vol.py:

• This runs the vol.py script using Python, the main script for running Volatility commands.

-f ../memdump.mem:

• The -f flag specifies the memory dump file you want to analyze. In this case, ../memdump.mem is the file you're analyzing, located one directory up from the current directory.

windows.netstat:

• This is the Volatility plugin that replicates the functionality of the netstat command, but for a memory dump. It analyzes network connections in the memory dump of a Windows system and shows active or recently closed network connections.

Task 3 — Question 1 : What is the PID of the process vmware.exe on the memory dump: memdump.mem?

After running the above command we can see the PID of the running process vmware.exe on the memory dump :

Task 3 : What is the name of VirtualBox service process in Windows?

The Answer can be found in the snippet below →

Task 3 is now successfully completed !

Task 4 : VirtualBox Investigations

Task 4 — Question 1 : Where is the VboxManage tool typically located?

The answer can be found inside the snippet below →

Task 4 Question 2 : Which file contains logs about the installation and the OS?

The Answer can be found in the snippet below →

Task 4 is now complete !

Task 5 : Vmware Workstation Investigations

Task 5 Question 1 : What file should you look at to determine which VMs have an autostart functionality?

Task 5 Question 2 : Where are the Hypervisor logs typically located?

The answer can be found in the snippet below →

Task 5 complete !

Task 6 : Practical

Task 6 Question 1 : Investigate the VMware logs. Can you find the flag that starts with THM{}?

The Location of the VMWare Logs are mentioned in Task 5 module →

Let’s change the directory first →

cd 

We can check the contents of the Log by simply doing a cat command

cat 

Since there are a lot of entries being returned

Lets filter out the flag initials → THM{

cat .\vmmsi.log_20240822_234016.log | findstr /i "THM{"

The Above command will return the Flag we are looking for →

Task 6 Question 2 : Analyze the processes on the memory dump C:\Users\Administrator\Desktop\exercise.mem on the room VM. What is the PID of the VBoxSVC.exe process?

cd C:\Users\Administrator\Desktop\volatility3

python vol.py -f C:\Users\Administrator\Desktop\exercise.mem windows.pslist

You can also filter out the above command to get exact result →

python vol.py -f C:\Users\Administrator\Desktop\exercise.mem windows.pslist | findstr /i "VBoxSVC.exe"

Task 6 Question 3 : Analyze the processes on the memory dump C:\Users\Administrator\Desktop\exercise.mem on the room VM. What is the IP of the Virtual Network Adapter?

python vol.py -f C:\Users\Administrator\Desktop\exercise.mem windows.netscan

Task 6 all Complete !!

Task 7 : Conclusion

Room : Hosted Hypervisors Complete !

Room Pwned !! Congratulations !!

Hope you have enjoyed this room as much i did

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY