jebidiah-anthony
write-ups and what not
ShellScript (200 pts)
PART 1 : CHALLENGE DESCRIPTION
Your mean friend sent you an unknown file.
Find a flag hidden in that file.
Your friend said “Something bad will happen when you execute it”.
Flag format: flag{[A-Za-z_]+}
PART 2 : GIVEN
KCgoMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDMyLDgzLDEwNCwxMTEsMTE5LDY4LDExNywxMDksMTA5LDEyMSw3MCwxMDgsOTcsMTAzLDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQxLDEyMywzNiwxMDksMTAwLDUzLDMyLDYxLDMyLDkxLDgzLDEyMSwxMTUsMTE2LDEwMSwxMDksNDYsODMsMTAxLDk5LDExNywxMTQsMTA1LDExNiwxMjEsNDYsNjcsMTE0LDEyMSwxMTIsMTE2LDExMSwxMDMsMTE0LDk3LDExMiwxMDQsMTIxLDQ2LDc3LDY4LDUzLDkzLDU4LDU4LDY3LDExNCwxMDEsOTcsMTE2LDEwMSw0MCw0MSw1OSwzNiwxMTUsMTE2LDExNCwzMiw2MSwzMiw5MSw4MywxMjEsMTE1LDExNiwxMDEsMTA5LDQ2LDg0LDEwMSwxMjAsMTE2LDQ2LDY5LDExMCw5OSwxMTEsMTAwLDEwNSwxMTAsMTAzLDkzLDU4LDU4LDY1LDgzLDY3LDczLDczLDQ2LDcxLDEwMSwxMTYsNjYsMTIxLDExNiwxMDEsMTE1LDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDExNSwxMTcsOTgsMTE1LDExNiwxMTQsMTA1LDExMCwxMDMsNDAsMzYsMTAyLDEwOCw5NywxMDMsNDYsMTA1LDExMCwxMDAsMTAxLDEyMCwxMTEsMTAyLDQwLDM0LDEyMywzNCw0MSw0Myw0OSw0NCwzNiwxMDIsMTA4LDk3LDEwMyw0NiwxMTUsMTE3LDk4LDExNSwxMTYsMTE0LDEwNSwxMTAsMTAzLDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsMTExLDEwMiw0MCwzNCwxMjMsMzQsNDEsNDMsNDksNDEsNDYsNzYsMTAxLDExMCwxMDMsMTE2LDEwNCw0NSw0OSw0MSw0MSw1OSwzNiwxMDQsOTcsMTE1LDEwNCwzMiw2MSwzMiwzNiwxMDksMTAwLDUzLDQ2LDY3LDExMSwxMDksMTEyLDExNywxMTYsMTAxLDcyLDk3LDExNSwxMDQsNDAsMzYsMTE1LDExNiwxMTQsNDEsNTksMzYsMTA0LDExNSwzMiw2MSwzMiwzNCwzNCw1OSwzNiwxMDQsOTcsMTE1LDEwNCwzMiwxMjQsMzIsMzcsMTIzLDMyLDM2LDEwNCwxMTUsMzIsNDMsNjEsMzIsMzYsOTUsNDYsODQsMTExLDgzLDExNiwxMTQsMTA1LDExMCwxMDMsNDAsMzQsMTIwLDUwLDM0LDQxLDMyLDEyNSw1OSwzNiwxMDIsMTA4LDk3LDEwMyw5NSwxMDQsOTcsMTE1LDEwNCwzMiw2MSwzMiwzNiwxMDIsMTA4LDk3LDEwMyw0NiwxMTUsMTE3LDk4LDExNSwxMTYsMTE0LDEwNSwxMTAsMTAzLDQwLDQ4LDQ0LDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsMTExLDEwMiw0MCwzNCwxMjMsMzQsNDEsNDMsNDksNDEsMzIsNDMsMzIsMzYsMTA0LDExNSwzMiw0MywzMiwzNiwxMDIsMTA4LDk3LDEwMyw0NiwxMTUsMTE3LDk4LDExNSwxMTYsMTE0LDEwNSwxMTAsMTAzLDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsMTExLDEwMiw0MCwzNCwxMjUsMzQsNDEsNDEsNTksMTAxLDk5LDEwNCwxMTEsMzIsMzYsMTAyLDEwOCw5NywxMDMsOTUsMTA0LDk3LDExNSwxMDQsNTksMTI1LDU5LDgzLDEwNCwxMTEsMTE5LDY4LDExNywxMDksMTA5LDEyMSw3MCwxMDgsOTcsMTAzLDQwLDM0LDEwMiwxMDgsOTcsMTAzLDEyMyw3MCwxMDUsMTA4LDEwMSwxMDgsMTAxLDExNSwxMTUsOTUsNzcsOTcsMTA4LDExOSw5NywxMTQsMTAxLDk1LDc5LDEwMiwxMTYsMTAxLDExMCw5NSw4NSwxMTUsMTAxLDExNSw5NSw4MywxMDQsMTAxLDEwOCwxMDgsODMsOTksMTE0LDEwNSwxMTIsMTE2LDEyNSwzNCw0MSw1OSkgfCAleyAoW0ludF0kXyAtYXMgW2NoYXJdKSB9KSAtSm9pbiAnJykgfCAmKCRlbnY6Y29tc3BlY1s0LDE1LDI1XSAtSm9pbiAnJyk=
PART 3 : GETTING THE FLAG
Base64 decode the text from the given file
$ c="KCgoMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDMyLDgzLDEwNCwxMTEsMTE5LDY4LDExNywxMDksMTA5LDEyMSw3MCwxMDgsOTcsMTAzLDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQxLDEyMywzNiwxMDksMTAwLDUzLDMyLDYxLDMyLDkxLDgzLDEyMSwxMTUsMTE2LDEwMSwxMDksNDYsODMsMTAxLDk5LDExNywxMTQsMTA1LDExNiwxMjEsNDYsNjcsMTE0LDEyMSwxMTIsMTE2LDExMSwxMDMsMTE0LDk3LDExMiwxMDQsMTIxLDQ2LDc3LDY4LDUzLDkzLDU4LDU4LDY3LDExNCwxMDEsOTcsMTE2LDEwMSw0MCw0MSw1OSwzNiwxMTUsMTE2LDExNCwzMiw2MSwzMiw5MSw4MywxMjEsMTE1LDExNiwxMDEsMTA5LDQ2LDg0LDEwMSwxMjAsMTE2LDQ2LDY5LDExMCw5OSwxMTEsMTAwLDEwNSwxMTAsMTAzLDkzLDU4LDU4LDY1LDgzLDY3LDczLDczLDQ2LDcxLDEwMSwxMTYsNjYsMTIxLDExNiwxMDEsMTE1LDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDExNSwxMTcsOTgsMTE1LDExNiwxMTQsMTA1LDExMCwxMDMsNDAsMzYsMTAyLDEwOCw5NywxMDMsNDYsMTA1LDExMCwxMDAsMTAxLDEyMCwxMTEsMTAyLDQwLDM0LDEyMywzNCw0MSw0Myw0OSw0NCwzNiwxMDIsMTA4LDk3LDEwMyw0NiwxMTUsMTE3LDk4LDExNSwxMTYsMTE0LDEwNSwxMTAsMTAzLDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsMTExLDEwMiw0MCwzNCwxMjMsMzQsNDEsNDMsNDksNDEsNDYsNzYsMTAxLDExMCwxMDMsMTE2LDEwNCw0NSw0OSw0MSw0MSw1OSwzNiwxMDQsOTcsMTE1LDEwNCwzMiw2MSwzMiwzNiwxMDksMTAwLDUzLDQ2LDY3LDExMSwxMDksMTEyLDExNywxMTYsMTAxLDcyLDk3LDExNSwxMDQsNDAsMzYsMTE1LDExNiwxMTQsNDEsNTksMzYsMTA0LDExNSwzMiw2MSwzMiwzNCwzNCw1OSwzNiwxMDQsOTcsMTE1LDEwNCwzMiwxMjQsMzIsMzcsMTIzLDMyLDM2LDEwNCwxMTUsMzIsNDMsNjEsMzIsMzYsOTUsNDYsODQsMTExLDgzLDExNiwxMTQsMTA1LDExMCwxMDMsNDAsMzQsMTIwLDUwLDM0LDQxLDMyLDEyNSw1OSwzNiwxMDIsMTA4LDk3LDEwMyw5NSwxMDQsOTcsMTE1LDEwNCwzMiw2MSwzMiwzNiwxMDIsMTA4LDk3LDEwMyw0NiwxMTUsMTE3LDk4LDExNSwxMTYsMTE0LDEwNSwxMTAsMTAzLDQwLDQ4LDQ0LDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsMTExLDEwMiw0MCwzNCwxMjMsMzQsNDEsNDMsNDksNDEsMzIsNDMsMzIsMzYsMTA0LDExNSwzMiw0MywzMiwzNiwxMDIsMTA4LDk3LDEwMyw0NiwxMTUsMTE3LDk4LDExNSwxMTYsMTE0LDEwNSwxMTAsMTAzLDQwLDM2LDEwMiwxMDgsOTcsMTAzLDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsMTExLDEwMiw0MCwzNCwxMjUsMzQsNDEsNDEsNTksMTAxLDk5LDEwNCwxMTEsMzIsMzYsMTAyLDEwOCw5NywxMDMsOTUsMTA0LDk3LDExNSwxMDQsNTksMTI1LDU5LDgzLDEwNCwxMTEsMTE5LDY4LDExNywxMDksMTA5LDEyMSw3MCwxMDgsOTcsMTAzLDQwLDM0LDEwMiwxMDgsOTcsMTAzLDEyMyw3MCwxMDUsMTA4LDEwMSwxMDgsMTAxLDExNSwxMTUsOTUsNzcsOTcsMTA4LDExOSw5NywxMTQsMTAxLDk1LDc5LDEwMiwxMTYsMTAxLDExMCw5NSw4NSwxMTUsMTAxLDExNSw5NSw4MywxMDQsMTAxLDEwOCwxMDgsODMsOTksMTE0LDEwNSwxMTIsMTE2LDEyNSwzNCw0MSw1OSkgfCAleyAoW0ludF0kXyAtYXMgW2NoYXJdKSB9KSAtSm9pbiAnJykgfCAmKCRlbnY6Y29tc3BlY1s0LDE1LDI1XSAtSm9pbiAnJyk="
$ echo $c | base64 -d
(((102,117,110,99,116,105,111,110,32,83,104,111,119,68,117,109,109,121,70,108,97,103,40,36,102,108,97
,103,41,123,36,109,100,53,32,61,32,91,83,121,115,116,101,109,46,83,101,99,117,114,105,116,121,46,67,1
14,121,112,116,111,103,114,97,112,104,121,46,77,68,53,93,58,58,67,114,101,97,116,101,40,41,59,36,115,
116,114,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,5
8,65,83,67,73,73,46,71,101,116,66,121,116,101,115,40,36,102,108,97,103,46,115,117,98,115,116,114,105,
110,103,40,36,102,108,97,103,46,105,110,100,101,120,111,102,40,34,123,34,41,43,49,44,36,102,108,97,10
3,46,115,117,98,115,116,114,105,110,103,40,36,102,108,97,103,46,105,110,100,101,120,111,102,40,34,123
,34,41,43,49,41,46,76,101,110,103,116,104,45,49,41,41,59,36,104,97,115,104,32,61,32,36,109,100,53,46,
67,111,109,112,117,116,101,72,97,115,104,40,36,115,116,114,41,59,36,104,115,32,61,32,34,34,59,36,104,
97,115,104,32,124,32,37,123,32,36,104,115,32,43,61,32,36,95,46,84,111,83,116,114,105,110,103,40,34,12
0,50,34,41,32,125,59,36,102,108,97,103,95,104,97,115,104,32,61,32,36,102,108,97,103,46,115,117,98,115
,116,114,105,110,103,40,48,44,36,102,108,97,103,46,105,110,100,101,120,111,102,40,34,123,34,41,43,49,
41,32,43,32,36,104,115,32,43,32,36,102,108,97,103,46,115,117,98,115,116,114,105,110,103,40,36,102,108
,97,103,46,105,110,100,101,120,111,102,40,34,125,34,41,41,59,101,99,104,111,32,36,102,108,97,103,95,1
04,97,115,104,59,125,59,83,104,111,119,68,117,109,109,121,70,108,97,103,40,34,102,108,97,103,123,70,1
05,108,101,108,101,115,115,95,77,97,108,119,97,114,101,95,79,102,116,101,110,95,85,115,101,115,95,83,
104,101,108,108,83,99,114,105,112,116,125,34,41,59) | %{ ([Int]$_ -as [char]) }) -Join '') | &($env:c
omspec[4,15,25] -Join '')
The decoded output seems to be an obfuscated code where each character are transformed from an ASCII character to its integer equivalent.
The script above converts the integers to characters using %{ ([Int]$_ -as [char]) } then concatenates them using -Join ''.
Following the script on how to deobfuscate the code gives:
function ShowDummyFlag($flag){$md5 = [System.Security.Cryptography.MD5]::Create();$str = [System.Text.Encoding]::ASCII.GetBytes($flag.substring($flag.indexof("{")+1,$flag.substring($flag.indexof("{")+1).Length-1));$hash = $md5.ComputeHash($str);$hs = "";$hash | %{ $hs += $_.ToString("x2") };$flag_hash = $flag.substring(0,$flag.indexof("{")+1) + $hs + $flag.substring($flag.indexof("}"));echo $flag_hash;};ShowDummyFlag("flag{Fileless_Malware_Often_Uses_ShellScript}");
Beautified:
function ShowDummyFlag($flag){
$md5 = [System.Security.Cryptography.MD5]::Create();
$str = [System.Text.Encoding]::ASCII.GetBytes(
$flag.substring(
$flag.indexof("{")+1, $flag.substring($flag.indexof("{")+1).Length-1)
);
$hash = $md5.ComputeHash($str);
$hs = "";
$hash | %{ $hs += $_.ToString("x2") };
$flag_hash = $flag.substring(0,$flag.indexof("{")+1) + $hs + $flag.substring($flag.indexof("}")
);
echo $flag_hash;
};
ShowDummyFlag("flag{Fileless_Malware_Often_Uses_ShellScript}");