search
Github

Obfuscation Station

Author: @resume You've reached the Obfuscation Station! Can you decode this PowerShell to find the flag? Archive password: infected-station Download the file(s) below.

After opening the folder, we see there is a powershell file whose content is

(nEW-objECt  SYstem.iO.COMPreSsIon.deFlaTEStREAm( [IO.mEmORYstreAM][coNVERt]::FROMBAse64sTRING( 'UzF19/UJV7BVUErLSUyvNk5NMTM3TU0zMDYxNjSxNDcyNjexTDY2SUu0NDRITDWpVQIA') ,[io.COmPREssioN.coMpreSSioNmODE]::DeCoMpReSS)| %{ nEW-objECt  sYStEm.Io.StREAMrEADeR($_,[TeXT.encodiNG]::AsCii)} |%{ $_.READTOENd()})| & ( $eNV:cOmSPEc[4,15,25]-JOin'')

So, lets break this down and explain some of the more important parts

  1. [IO.mEmORYstreAM][coNVERt]::FROMBAse64sTRING('...'): The Base64 string 'UzF19/UJV7BVUErLSUyvNk5NMTM3TU0zMDYxNjSxNDcyNjexTDY2SUu0NDRITDWpVQIA' is decoded into a byte array, which is then used to create a memory stream object.

  2. [io.COmPREssioN.coMpreSSioNmODE]::DeCoMpReSS: This indicates that the stream should be decompressed using the decompression mode.

  3. nEW-objECt sYStEm.Io.StREAMrEADeR($_,[TeXT.encodiNG]::AsCii): The decompressed stream is read as ASCII text using a StreamReader.

  4. $_ .READTOENd(): Reads the entire decompressed content.

  5. & ( $eNV:cOmSPEc[4,15,25]-JOin''): This invokes the decompressed data by running it as a command in the Windows Command Prompt (cmd.exe). The $eNV:cOmSPEc variable holds the path to cmd.exe, and [4,15,25] are indices used to assemble a substring of it.

By using the following script we can decipher the following

import base64
import zlib

# Base64 encoded string from the PowerShell command
base64_string = 'UzF19/UJV7BVUErLSUyvNk5NMTM3TU0zMDYxNjSxNDcyNjexTDY2SUu0NDRITDWpVQIA'

# Decode the base64 string
decoded_data = base64.b64decode(base64_string)

# Decompress the data using the DEFLATE algorithm
decompressed_data = zlib.decompress(decoded_data, -zlib.MAX_WBITS)

# Convert the decompressed byte data to ASCII text
decompressed_text = decompressed_data.decode('ascii')
decompressed_text

Thus giving us the flag, flag{3ed675ef0343149723749c34fa910ae4}

PreviousForensicsNextMalware

Last updated