Hosted Hypervisors: TryHackMe Writeup
Hosted Hypervisors, also known as Type 2 Hypervisors, are a form of virtualization technology that operates on top of an existing operating system rather than directly interfacing with the underlying hardware. This setup allows them to manage virtual machines within the context of the host OS.
While Hosted Hypervisors are not as common an area for investigations as their server counterparts, there are situations where investigations are required on either the host containing the Hypervisor or a VM running on the target computer.
Task 1: Introduction
No answer needed.
Task 2: Environment & Setup
No answer needed.
Task 3: Networking & Memory Investigations
#3.1 What is the PID of the process vmware.exe on the memory dump: memdump.mem?
Answer: 8096
#3.2 What is the name of VirtualBox service process in Windows?
Answer: VBoxSVC.exe
Task 4: VirtualBox Investigations
#4.1 Where is the VboxManage tool typically located?
Answer: C:\Program Files\Oracle\VirtualBox
#4.2 Which file contains logs about the installation and the OS?
Answer: Vbox.log
Task 5: Vmware Workstation Investigations
#5.1 Where is the VboxManage tool typically located?
Answer: vmautostart.xml
#5.2 Which file contains logs about the installation and the OS?
Answer: C:\ProgramData\VMware\logs
Task 6: Practical
#6.1 Investigate the VMware logs. Can you find the flag that starts with THM{}?
Answer: THM{You_f1nd_th3_l0g!}
#6.2 Analyze the processes on the memory dump C:\Users\Administrator\Desktop\exercise.mem on the room VM. What is the PID of the VBoxSVC.exe process?
Answer: 6052
#6.3 Analyze the processes on the memory dump C:\Users\Administrator\Desktop\exercise.mem on the room VM. What is the IP of the Virtual Network Adapter?
Answer: 192.168.182.139
Task 7: Conclusion
No answer needed.
