HTB: Holmes CTF 2025

September 29, 2025

by Kieran Jessup

htb ctf forensics reverse-engineering penetration-testing

HTB Holmes CTF 2025

HTB CTF 2025 Holmes, Challenge: The Payload

During execution, the malware initializes the COM library on its main thread. Based on the imported functions, which DLL is responsible for providing this functionality? (filename.ext) Reviewing this binary in IDA we can see calls to Coinitialize, CoCreateInstance and OleRun at the start of the main function and the following imports:

ole32

Which GUID is used by the binary to instantiate the object containing the data and code for execution?

mov     [rsp+278h+var_208], rdi
lea     rax, [rsp+278h+pUnknown]
mov     [rsp+278h+ppv], rax ; int
lea     r9, riid        ; riid
xor     edx, edx        ; pUnkOuter
mov     r8d, 17h        ; dwClsContext
lea     rcx, rclsid     ; rclsid
call    cs:CoCreateInstance

guid

Which .NET framework feature is the attacker using to bridge calls between a managed .NET class and an unmanaged native binary? (string)