Alien Cradle | Forensics | HackTheBox Cyber Apocalypse CTF 2023

 

Alien Cradle

Description:

In their relentless quest to uncover the secrets of an ancient relic, a group of extraterrestrial beings has launched a targeted attack. This attack focuses on Pandora's close friends and partners, who may possess hidden knowledge about the relic. During a recent incident, Pandora discovered a suspicious PowerShell script within the event logs. Known as a PowerShell cradle, such scripts typically download and execute subsequent stages of an attack. However, this particular script is obfuscated, leaving Pandora puzzled. Can you assist her in deobfuscating it?

Hint:

None provided.

Steps:

1. Unzipping the File:

   • Extract the contents of the provided .zip file. This will result in a .ps1 (PowerShell) script file.

2. The Script:

   • Here's the content of the extracted PowerShell script:

     Flag Construction:
     The script constructs the flag string by concatenating several substrings: 
      
     $f = 'H' + 'T' + 'B' + '{p0w3rs' + 'h3ll' + '_Cr4d' + 'l3s_c4n_g3t' + '_th' + '3_j0b_d' + '0n3}'; 
     The flag can be clearly seen in the script:
      HTB{p0w3rsh3ll_Cr4dl3s_c4n_g3t_th3_j0b_d0n3}
     Conclusion:
     Through careful analysis and deobfuscation, 
     the PowerShell script reveals its true purpose. The constructed flag symbolizes 
     the success of PowerShell cradles in executing complex tasks, 
     even when hidden under layers of obfuscation. This exercise not only aids Pandora 
     in understanding the script but also highlights the importance of 
     vigilance in cybersecurity.