2024 Cyber Apocalypse: Fake Boost

#htb #ctf #forensics #pcap #powershell #obfuscation #aes-cbc #malware-analysis

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryForensics
ChallengeFake Boost
DifficultyMedium

Summary

Fake Boost involves analyzing a network capture (PCAP) to extract a malicious PowerShell script. The script is obfuscated using base64 encoding with a reversal technique. The deobfuscated script contains part of the flag and AES encryption parameters. TCP stream analysis reveals encrypted data that can be decrypted to recover the second flag part.

Analysis

The attack chain:

  1. Obfuscated PowerShell: Downloaded in TCP stream
    • Base64 string is reversed
    • Reversed string is base64-decoded to reveal malicious script
  2. PowerShell Script Features:
    • Reverse-base64 encoded payload variable
    • AES-256-CBC encryption key (base64-encoded)
    • HTTP POST of encrypted data to attacker server
  3. Encrypted Traffic: TCP stream contains AES-encrypted JSON data
  4. Flag Parts:
    • Part 1: Found in deobfuscated script
    • Part 2: Found in encrypted data after decryption

Solution

Step 1: Extract TCP Streams from PCAP

Using Wireshark:

  1. Open the .pcapng file
  2. Analyze TCP traffic on port with obfuscated script
  3. Follow TCP stream to view full script content
  4. Look for base64-encoded strings

Alternatively using tshark:

Terminal window
tshark -r file.pcapng -T fields -e "data" -Y "tcp.stream == 3" > stream.txt

Step 2: Deobfuscate PowerShell

The obfuscated variable looks like:

Terminal window
$jozeq3n = "reversed_base64_string..."
$charArray = $jozeq3n.ToCharArray()
[array]::Reverse($charArray)
$reversedString = -join $charArray
$decodedBytes = [System.Convert]::FromBase64String($reversedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
Write-Output $decodedString

Using Python to reverse and decode:

import base64


# The reversed base64 string from the script
reversed_base64 = "9ByXkACd1BHd19......"  # Full string from script


# Reverse the string
reversed_string = reversed_base64[::-1]


# Base64 decode
decoded_bytes = base64.b64decode(reversed_string)
decoded_string = decoded_bytes.decode('utf-8')


print(decoded_string)

Step 3: Extract Flag Part 1

In the deobfuscated script, find:

Terminal window
$part1 = "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf"

This is base64-encoded:

import base64
part1_b64 = "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf"
part1 = base64.b64decode(part1_b64).decode('utf-8')
print(part1)  # HTB{fr33_N17r0G3n_3xp053d!_

Step 4: Extract Encryption Parameters

From the deobfuscated script:

Terminal window
$AES_KEY = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k="

Decode the key:

aes_key_b64 = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k="
aes_key = base64.b64decode(aes_key_b64)

Step 5: Extract Encrypted Data from TCP Stream 48

Find the encrypted data sent to attacker server in another TCP stream:

Terminal window
tshark -r file.pcapng -T fields -e "data" -Y "tcp.stream == 48" | head -1

Step 6: Decrypt AES Data

The script shows encryption uses:

  • Mode: CBC
  • Key: First 32 bytes of derived key
  • IV: First 16 bytes of encrypted data
from Crypto.Cipher import AES
import base64


aes_key_b64 = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k="
aes_key = base64.b64decode(aes_key_b64)


encrypted_data_b64 = "bEG+rGcRyYKe..."  # From TCP stream


full_data = base64.b64decode(encrypted_data_b64)
iv = full_data[:16]
encrypted_bytes = full_data[16:]


cipher = AES.new(aes_key[:32], AES.MODE_CBC, iv)
decrypted = cipher.decrypt(encrypted_bytes)


# Remove PKCS7 padding
pad_len = decrypted[-1]
decrypted = decrypted[:-pad_len]


# Parse JSON
import json
data = json.loads(decrypted.decode('utf-8'))


# Extract part 2 from Email field (base64-encoded)
part2_b64 = data['Email']
part2 = base64.b64decode(part2_b64).decode('utf-8')
print(part2)  # b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}

Step 7: Combine Flag Parts

flag = part1 + part2
print(flag)

Key Techniques

  1. Base64 Reversal Obfuscation: String reversal before/after base64 encoding
  2. PowerShell Encoding: Native PowerShell methods for string manipulation
  3. AES-256-CBC: IV prepended to ciphertext in full data blob
  4. PKCS7 Padding: Standard padding removal using last byte value
  5. JSON Parsing: Structured data in encrypted payloads

Key Takeaways

  • Network traffic analysis requires parsing protocols and following streams
  • Obfuscation techniques can be reversed through understanding the algorithm
  • PowerShell scripts often contain malicious intent in plain sight
  • AES encryption parameters extraction from code enables decryption
  • Multi-part flags require recovering data from multiple sources
  • Always examine TCP streams for complete picture of data flow