# Fake Boost

{% file src="<https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2F8RACSd9JiHDAxRbOa9Fk%2Fforensics_fake_boost.zip?alt=media&token=577704ab-7c11-4e27-bb7f-db8959a262d6>" %}

### <mark style="color:blue;">Challenge Description :</mark>&#x20;

```
In the shadow of The Fray, a new test called ""Fake Boost"" whispers promises of free Discord Nitro perks. It's a trap, set in a world where nothing comes without a cost. As factions clash and alliances shift, the truth behind Fake Boost could be the key to survival or downfall. Will your faction see through the deception? KORP™ challenges you to discern reality from illusion in this cunning trial.
```

we have a pcap file to analyze. first thing let's open it using wireshark and the first thing let's view the protocol hirarchy on the statistics tab

and we can see http

<div align="left"><figure><img src="https://i.postimg.cc/3wxKKcmz/image.png" alt=""><figcaption></figcaption></figure></div>

so let's filter by http, we have two interesting endpoints

<div align="left"><figure><img src="https://i.postimg.cc/Df9yq53b/image.png" alt=""><figcaption></figcaption></figure></div>

let's start by the first one `/freediscordnitro` , right click and follow HTTP Stream

{% embed url="<https://i.postimg.cc/Zny2brwG/image.png>)]\(<https://postimg.cc/9wCJ1q5b>)" fullWidth="false" %}

{% embed url="<https://i.postimg.cc/mg2xMFkH/image.png>)]\(<https://postimg.cc/TpSHv1rd>)" %}

and we can see that this endpoints downloads a powershell script called `discordnitro.ps1`

1. `$s0yAY2gmHVNFd7QZ = $jozeq3n.ToCharArray()`: This line converts a variable `$jozeq3n` into an array of characters and assigns it to `$s0yAY2gmHVNFd7QZ`.
2. `[array]::Reverse($s0yAY2gmHVNFd7QZ)`: This reverses the order of elements in the array.
3. `-join $s0yAY2gmHVNFd7QZ 2>&1> $null;`: This line joins the array elements back into a single string and deletes any error output.
4. `$LOaDcODEoPX3ZoUgP2T6cvl3KEK = [sYSTeM.TeXt.ENcODING]::UTf8.geTSTRiNG([SYSTEm.cOnVeRT]::FRoMBaSe64sTRing("$s0yAY2gmHVNFd7QZ"))`: This line decodes a base64 encoded string stored in `$s0yAY2gmHVNFd7QZ`.
5. `$U9COA51JG8eTcHhs0YFxrQ3j = "Inv"+"OKe"+"-EX"+"pRe"+"SSI"+"On"`: This line creates a string variable with value "Invoke-Expression".
6. `New-alIaS -Name pWn -VaLuE $U9COA51JG8eTcHhs0YFxrQ3j -FoRcE`: This line creates an alias `pWn` for the command Invoke-Expression.
7. `pWn $lOADcODEoPX3ZoUgP2T6cvl3KEK`: This line invokes the command stored in `$LOaDcODEoPX3ZoUgP2T6cvl3KEK`, which is decoded PowerShell code.

so we will execute the powershell script until the 4th part since the rest executes the script using `Invoke-Expression` command

copying line by line into powershell command prompt

<div align="left"><figure><img src="https://i.postimg.cc/8PLWWj9N/image.png" alt=""><figcaption></figcaption></figure></div>

copy the whole powershell script into notepad++ or any text editor to analyze the code.

in bref this code is malicious which steals Discord tokens and other sensitive information from various locations on a user's system, including web browser data directories. It then attempts to retrieve Discord user information using these stolen tokens. Additionally, it generates Discord Nitro codes and sends the stolen information encrypted to the URL `http://192.168.116.135:8080/rj1893rj1joijdkajwda`

so we have to get the encryptedData sent and try to decrypt it, previously on wireshark http traffic we have showcased 2 interesting endpoints the first one was used to download the malicious powershell script and the second one which is `/rj1893rj1joijdkajwda` is used by the malious script to send encryptedData stolen from the victim.

<figure><img src="https://i.postimg.cc/prHXZPc4/image.png" alt=""><figcaption></figcaption></figure>

right click follow http stream on this endpoint and we can see the encryptedData sent

<figure><img src="https://i.postimg.cc/D0nnGB8K/image.png" alt=""><figcaption></figcaption></figure>

to decrypt this we have to reverse the maliocus `discordnitro.ps1` powershell script encryption logic

```powershell
function Decrypt-String($key, $encryptedBase64) {
    $fullData = [System.Convert]::FromBase64String($encryptedBase64)
    $iv = $fullData[0..15]
    $encryptedData = $fullData[16..($fullData.Length - 1)]
    $aesManaged = Create-AesManagedObject $key $iv "CBC" # Ensure the mode is correct
    $decryptor = $aesManaged.CreateDecryptor()
    $decryptedData = $decryptor.TransformFinalBlock($encryptedData, 0, $encryptedData.Length)
    [System.Text.Encoding]::UTF8.GetString($decryptedData)
}

function Create-AesManagedObject($key, $IV, $mode) {
    $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
    
    # Setting the mode according to the provided mode parameter
    if ($mode -eq "CBC") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC }
    elseif ($mode -eq "CFB") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CFB }
    elseif ($mode -eq "CTS") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CTS }
    elseif ($mode -eq "ECB") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB }
    elseif ($mode -eq "OFB") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::OFB }
    
    $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
    $aesManaged.BlockSize = 128
    $aesManaged.KeySize = 256
    if ($IV) {
        if ($IV.GetType().Name -eq "String") {
            $aesManaged.IV = [System.Convert]::FromBase64String($IV)
        }
        else {
            $aesManaged.IV = $IV
        }
    }
    if ($key) {
        if ($key.GetType().Name -eq "String") {
            $aesManaged.Key = [System.Convert]::FromBase64String($key)
        }
        else {
            $aesManaged.Key = $key
        }
    }
    $aesManaged
}

$encryptedData = "bEG+rGcRyYKeqlzXb0QVVRvFp5E9vmlSSG3pvDTAGoba05Uxvepwv++0uWe1Mn4LiIInZiNC/ES1tS7Smzmbc99Vcd9h51KgA5Rs1t8T55Er5ic4FloBzQ7tpinw99kC380WRaWcq1Cc8iQ6lZBP/yqJuLsfLTpSY3yIeSwq8Z9tusv5uWvd9E9V0Hh2Bwk5LDMYnywZw64hsH8yuE/u/lMvP4gb+OsHHBPcWXqdb4DliwhWwblDhJB4022UC2eEMI0fcHe1xBzBSNyY8xqpoyaAaRHiTxTZaLkrfhDUgm+c0zOEN8byhOifZhCJqS7tfoTHUL4Vh+1AeBTTUTprtdbmq3YUhX6ADTrEBi5gXQbSI5r1wz3r37A71Z4pHHnAoJTO0urqIChpBihFWfYsdoMmO77vZmdNPDo1Ug2jynZzQ/NkrcoNArBNIfboiBnbmCvFc1xwHFGL4JPdje8s3cM2KP2EDL3799VqJw3lWoFX0oBgkFi+DRKfom20XdECpIzW9idJ0eurxLxeGS4JI3n3jl4fIVDzwvdYr+h6uiBUReApqRe1BasR8enV4aNo+IvsdnhzRih+rpqdtCTWTjlzUXE0YSTknxiRiBfYttRulO6zx4SvJNpZ1qOkS1UW20/2xUO3yy76Wh9JPDCV7OMvIhEHDFh/F/jvR2yt9RTFId+zRt12Bfyjbi8ret7QN07dlpIcppKKI8yNzqB4FA=="
$AES_KEY = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k="

# Decrypt the encrypted data
$decryptedData = Decrypt-String -key $AES_KEY -encryptedBase64 $encryptedData

# Output the decrypted data
Write-Host "Decrypted data:"
Write-Host $decryptedData
```

executing this script retrieves the encrypted victim data

<div align="left"><figure><img src="https://i.postimg.cc/PrJ0RgGR/image.png" alt=""><figcaption></figcaption></figure></div>

the Email value is base64 encoded so decoding yeilds the first part of the flag

<div align="left"><figure><img src="https://i.postimg.cc/hPMTfYfc/image.png" alt=""><figcaption></figcaption></figure></div>

and this part of the flag hints that the other part will be too easy to find so looking at the malicious powershell script `discordnitro.ps1` we can find unused variable called `$part1` which holds base64 encoded value. decoding it yeilds the first part of the flag

<div align="left"><figure><img src="https://i.postimg.cc/t4xqLZ0w/image.png" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:red;">Flag :</mark>

```
HTB{fr33_N17r0G3n_3xp053d!_b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}
```